From eb8da9cd053c453e2eab83e89ddd50c24f34e523 Mon Sep 17 00:00:00 2001 From: protectionsmachine <72879786+protectionsmachine@users.noreply.github.com> Date: Tue, 14 Nov 2023 20:23:19 +0000 Subject: [PATCH 1/3] Update latest docs --- ...l-process-id-or-lock-file-created.asciidoc | 122 +++ ...ess-of-stored-browser-credentials.asciidoc | 87 ++ ...ess-to-a-sensitive-ldap-attribute.asciidoc | 110 +++ ...-keychain-credentials-directories.asciidoc | 93 +++ ...covery-command-via-system-account.asciidoc | 116 +++ ...le-8-11-3-adfind-command-activity.asciidoc | 146 ++++ ...insdholder-sdprop-exclusion-added.asciidoc | 123 +++ ...e-8-11-3-adobe-hijack-persistence.asciidoc | 135 +++ ...ion-with-administrator-privileges.asciidoc | 72 ++ ...tempt-to-clear-kernel-ring-buffer.asciidoc | 72 ++ ...t-to-disable-iptables-or-firewall.asciidoc | 78 ++ ...attempt-to-disable-syslog-service.asciidoc | 70 ++ ...-mount-smb-share-via-command-line.asciidoc | 74 ++ ...-remove-file-quarantine-attribute.asciidoc | 73 ++ ...base32-encoding-decoding-activity.asciidoc | 67 ++ ...uted-from-shared-memory-directory.asciidoc | 69 ++ ...-11-3-bpf-filter-applied-using-tc.asciidoc | 69 ++ ...-11-3-bypass-uac-via-event-viewer.asciidoc | 149 ++++ ...rule-8-11-3-chkconfig-service-add.asciidoc | 72 ++ ...-clearing-windows-console-history.asciidoc | 128 +++ ...-11-3-clearing-windows-event-logs.asciidoc | 122 +++ ...-execution-via-solarwinds-process.asciidoc | 95 +++ ...ell-activity-started-via-rundll32.asciidoc | 98 +++ ...-component-object-model-hijacking.asciidoc | 180 ++++ ...wned-by-suspicious-parent-process.asciidoc | 147 ++++ ...ed-free-ssl-certificate-providers.asciidoc | 74 ++ ...n-to-commonly-abused-web-services.asciidoc | 227 +++++ ...on-to-external-network-via-telnet.asciidoc | 70 ++ ...on-to-internal-network-via-telnet.asciidoc | 70 ++ ...el-process-with-unusual-arguments.asciidoc | 84 ++ ...on-of-a-hidden-local-user-account.asciidoc | 109 +++ ...s-and-directories-via-commandline.asciidoc | 71 ++ ...-of-hidden-launch-agent-or-daemon.asciidoc | 87 ++ ...idden-login-item-via-apple-script.asciidoc | 82 ++ ...tion-of-hidden-shared-object-file.asciidoc | 66 ++ ...new-gpo-scheduled-task-or-service.asciidoc | 83 ++ ...f-domain-backup-dpapi-private-key.asciidoc | 86 ++ ...-modification-of-root-certificate.asciidoc | 145 ++++ ...isition-via-registry-hive-dumping.asciidoc | 125 +++ ...ged-by-previously-unknown-process.asciidoc | 97 +++ ...ting-backup-catalogs-with-wbadmin.asciidoc | 117 +++ ...ell-via-suspicious-parent-process.asciidoc | 95 +++ ...ecurity-logs-using-built-in-tools.asciidoc | 134 +++ ...-windows-firewall-rules-via-netsh.asciidoc | 111 +++ ...control-via-registry-modification.asciidoc | 161 ++++ ...-security-settings-via-powershell.asciidoc | 130 +++ ...s-over-https-enabled-via-registry.asciidoc | 76 ++ ...hain-content-via-security-command.asciidoc | 66 ++ ...t-rule-8-11-3-dynamic-linker-copy.asciidoc | 69 ++ ...-elastic-agent-service-terminated.asciidoc | 84 ++ ...nd-rules-creation-or-modification.asciidoc | 68 ++ ...-host-network-discovery-via-netsh.asciidoc | 109 +++ ...ncrypting-files-with-winrar-or-7z.asciidoc | 134 +++ ...tion-command-spawned-via-wmiprvse.asciidoc | 122 +++ ...eration-of-administrator-accounts.asciidoc | 137 +++ ...1-3-enumeration-of-kernel-modules.asciidoc | 63 ++ ...rivileged-local-groups-membership.asciidoc | 159 ++++ ...s-or-groups-via-built-in-commands.asciidoc | 90 ++ ...le-8-11-3-esxi-discovery-via-find.asciidoc | 62 ++ ...le-8-11-3-esxi-discovery-via-grep.asciidoc | 63 ++ ...-timestomping-using-touch-command.asciidoc | 66 ++ ...creation-with-multiple-extensions.asciidoc | 83 ++ ...om-unusual-directory-command-line.asciidoc | 244 ++++++ ...ecution-of-com-object-via-xwizard.asciidoc | 77 ++ ...ution-via-local-sxs-shared-module.asciidoc | 77 ++ ...ssql-xp-cmdshell-stored-procedure.asciidoc | 134 +++ ...execution-via-tsclient-mountpoint.asciidoc | 69 ++ ...g-exchange-mailbox-via-powershell.asciidoc | 139 ++++ ...-deletion-in-suspicious-directory.asciidoc | 72 ++ ...le-8-11-3-file-deletion-via-shred.asciidoc | 64 ++ ...1-3-file-made-immutable-by-chattr.asciidoc | 68 ++ ...odification-in-writable-directory.asciidoc | 62 ++ ...r-listener-established-via-netcat.asciidoc | 133 +++ ...me-seen-account-performing-dcsync.asciidoc | 136 +++ ...licy-abuse-for-privilege-addition.asciidoc | 108 +++ ...gh-number-of-process-terminations.asciidoc | 103 +++ ...t-rule-8-11-3-hosts-file-modified.asciidoc | 127 +++ ...ule-8-11-3-hping-process-activity.asciidoc | 65 ++ ...-8-11-3-iis-http-logging-disabled.asciidoc | 113 +++ ...windows-update-auto-update-client.asciidoc | 71 ++ ...ingress-transfer-via-windows-bits.asciidoc | 84 ++ ...tion-of-security-support-provider.asciidoc | 83 ++ ...ractive-terminal-spawned-via-perl.asciidoc | 63 ++ ...ctive-terminal-spawned-via-python.asciidoc | 71 ++ ...-authentication-disabled-for-user.asciidoc | 129 +++ ...eros-traffic-from-unusual-process.asciidoc | 168 ++++ ...load-or-unload-via-kexec-detected.asciidoc | 90 ++ ...1-3-kernel-module-load-via-insmod.asciidoc | 69 ++ ...rule-8-11-3-kernel-module-removal.asciidoc | 81 ++ ...ssword-retrieval-via-command-line.asciidoc | 80 ++ ...8-11-3-krbtgt-delegation-backdoor.asciidoc | 74 ++ ...teral-movement-via-startup-folder.asciidoc | 87 ++ ...-rule-8-11-3-linux-group-creation.asciidoc | 119 +++ ...ux-init-pid-1-secret-dump-via-gdb.asciidoc | 67 ++ ...shell-breakout-via-linux-binary-s.asciidoc | 193 +++++ ...-11-3-linux-user-account-creation.asciidoc | 118 +++ ...ux-user-added-to-privileged-group.asciidoc | 128 +++ ...8-11-3-lsass-memory-dump-creation.asciidoc | 151 ++++ ...3-lsass-memory-dump-handle-access.asciidoc | 155 ++++ ...ss-process-access-via-windows-api.asciidoc | 116 +++ ...masquerading-space-after-filename.asciidoc | 70 ++ ...engine-started-an-unusual-process.asciidoc | 77 ++ ...ngine-started-by-a-script-process.asciidoc | 89 ++ ...ngine-started-by-a-system-process.asciidoc | 74 ++ ...-started-by-an-office-application.asciidoc | 142 ++++ ...ld-engine-using-an-alternate-name.asciidoc | 137 +++ ...-um-spawning-suspicious-processes.asciidoc | 84 ++ ...erver-um-writing-suspicious-files.asciidoc | 107 +++ ...ker-spawning-suspicious-processes.asciidoc | 87 ++ ...iis-connection-strings-decryption.asciidoc | 68 ++ ...s-service-account-password-dumped.asciidoc | 67 ++ ...rosoft-windows-defender-tampering.asciidoc | 148 ++++ ...mimikatz-memssp-log-file-detected.asciidoc | 115 +++ ...cation-of-amsienable-registry-key.asciidoc | 139 ++++ ...odification-of-boot-configuration.asciidoc | 116 +++ ...amic-linker-preload-shared-object.asciidoc | 69 ++ ...-modification-of-openssh-binaries.asciidoc | 101 +++ ...on-of-the-mspkiaccountcredentials.asciidoc | 68 ++ ...tion-of-wdigest-security-provider.asciidoc | 129 +++ ...ng-hidden-or-webdav-remote-shares.asciidoc | 103 +++ ...o-security-registry-modifications.asciidoc | 142 ++++ ...failure-followed-by-logon-success.asciidoc | 145 ++++ ...lure-from-the-same-source-address.asciidoc | 150 ++++ ...ltiple-vault-web-credentials-read.asciidoc | 83 ++ ...espace-manipulation-using-unshare.asciidoc | 68 ++ ...t-listener-established-via-rlwrap.asciidoc | 66 ++ ...network-activity-detected-via-cat.asciidoc | 67 ++ ...ork-activity-detected-via-kworker.asciidoc | 76 ++ ...-via-recently-compiled-executable.asciidoc | 76 ++ ...on-provider-registry-modification.asciidoc | 90 ++ ...oweddeviceid-added-via-powershell.asciidoc | 84 ++ ...ted-by-previously-unknown-process.asciidoc | 94 +++ ...-8-11-3-new-systemd-timer-created.asciidoc | 140 ++++ ...ule-8-11-3-nping-process-activity.asciidoc | 64 ++ ...-ntds-or-sam-database-file-copied.asciidoc | 83 ++ ...-11-3-peripheral-device-discovery.asciidoc | 103 +++ ...tence-via-bits-job-notify-cmdline.asciidoc | 74 ++ ...tence-via-hidden-run-key-detected.asciidoc | 101 +++ ...ript-or-desktop-file-modification.asciidoc | 80 ++ ...sistence-via-login-or-logout-hook.asciidoc | 71 ++ ...tence-via-microsoft-office-addins.asciidoc | 76 ++ ...istence-via-microsoft-outlook-vba.asciidoc | 67 ++ ...stence-via-scheduled-job-creation.asciidoc | 68 ++ ...ycontroller-scheduled-task-hijack.asciidoc | 97 +++ ...pdate-orchestrator-service-hijack.asciidoc | 160 ++++ ...stence-via-wmi-event-subscription.asciidoc | 81 ++ ...-scripts-in-the-startup-directory.asciidoc | 147 ++++ ...1-3-port-forwarding-rule-addition.asciidoc | 128 +++ ...-application-shimming-via-sdbinst.asciidoc | 81 ++ ...ial-code-execution-via-postgresql.asciidoc | 69 ++ ...okies-theft-via-browser-debugging.asciidoc | 81 ++ ...tial-credential-access-via-dcsync.asciidoc | 155 ++++ ...cess-via-duplicatehandle-in-lsass.asciidoc | 72 ++ ...tial-access-via-lsass-memory-dump.asciidoc | 87 ++ ...cess-via-renamed-com-services-dll.asciidoc | 85 ++ ...tial-access-via-windows-utilities.asciidoc | 161 ++++ ...-curl-cve-2023-38545-exploitation.asciidoc | 68 ++ ...tential-defense-evasion-via-proot.asciidoc | 61 ++ ...3-potential-disabling-of-apparmor.asciidoc | 66 ++ ...-3-potential-disabling-of-selinux.asciidoc | 66 ++ ...ft-antimalware-service-executable.asciidoc | 80 ++ ...ng-via-trusted-microsoft-programs.asciidoc | 81 ++ ...ential-dns-tunneling-via-nslookup.asciidoc | 117 +++ ...al-linux-ssh-brute-force-detected.asciidoc | 118 +++ ...-hidden-process-via-mount-hidepid.asciidoc | 62 ++ ...al-linux-ssh-brute-force-detected.asciidoc | 114 +++ ...invoke-mimikatz-powershell-script.asciidoc | 130 +++ ...ux-backdoor-user-account-creation.asciidoc | 123 +++ ...ntial-dumping-via-proc-filesystem.asciidoc | 76 ++ ...x-credential-dumping-via-unshadow.asciidoc | 68 ++ ...otential-linux-hack-tool-launched.asciidoc | 73 ++ ...ocal-account-brute-force-detected.asciidoc | 67 ++ ...ransomware-note-creation-detected.asciidoc | 67 ++ ...-tunneling-and-or-port-forwarding.asciidoc | 77 ++ ...e-creation-via-psscapturesnapshot.asciidoc | 70 ++ ...emory-dump-via-psscapturesnapshot.asciidoc | 70 ++ ...file-downloaded-from-google-drive.asciidoc | 113 +++ ...tential-meterpreter-reverse-shell.asciidoc | 81 ++ ...ication-of-accessibility-binaries.asciidoc | 173 ++++ ...l-network-scan-executed-from-host.asciidoc | 60 ++ ...openssh-backdoor-logging-activity.asciidoc | 103 +++ ...rsistence-through-init-d-detected.asciidoc | 138 +++ ...rough-motd-file-creation-detected.asciidoc | 133 +++ ...ence-through-run-control-detected.asciidoc | 141 ++++ ...hacktool-script-by-function-names.asciidoc | 248 ++++++ ...-bypass-via-localhost-secure-copy.asciidoc | 75 ++ ...rol-bypass-via-tccdb-modification.asciidoc | 70 ++ ...on-through-writable-docker-socket.asciidoc | 67 ++ ...on-via-container-misconfiguration.asciidoc | 67 ++ ...lege-escalation-via-cve-2023-4911.asciidoc | 64 ++ ...alation-via-installerfiletakeover.asciidoc | 142 ++++ ...rivilege-escalation-via-overlayfs.asciidoc | 67 ++ ...l-privilege-escalation-via-pkexec.asciidoc | 77 ++ ...-escalation-via-python-cap-setuid.asciidoc | 71 ++ ...-via-recently-compiled-executable.asciidoc | 68 ++ ...tion-via-uid-int-max-bug-detected.asciidoc | 64 ++ ...ation-via-samaccountname-spoofing.asciidoc | 88 ++ ...-process-injection-via-powershell.asciidoc | 145 ++++ ...tocol-tunneling-via-chisel-client.asciidoc | 70 ++ ...tocol-tunneling-via-chisel-server.asciidoc | 70 ++ ...-protocol-tunneling-via-earthworm.asciidoc | 66 ++ ...-pspy-process-monitoring-detected.asciidoc | 67 ++ ...ote-code-execution-via-web-server.asciidoc | 154 ++++ ...te-credential-access-via-registry.asciidoc | 122 +++ ...remote-desktop-shadowing-activity.asciidoc | 85 ++ ...remote-desktop-tunneling-detected.asciidoc | 125 +++ ...verse-shell-activity-via-terminal.asciidoc | 115 +++ ...erse-shell-via-background-process.asciidoc | 73 ++ ...-potential-reverse-shell-via-java.asciidoc | 81 ++ ...verse-shell-via-suspicious-binary.asciidoc | 90 ++ ...hell-via-suspicious-child-process.asciidoc | 97 +++ ...3-potential-reverse-shell-via-udp.asciidoc | 86 ++ ...le-8-11-3-potential-reverse-shell.asciidoc | 80 ++ ...ow-credentials-added-to-ad-object.asciidoc | 109 +++ ...e-read-via-command-line-utilities.asciidoc | 79 ++ ...l-via-wildcard-injection-detected.asciidoc | 77 ++ ...ential-ssh-it-ssh-worm-downloaded.asciidoc | 78 ++ ...x-ftp-brute-force-attack-detected.asciidoc | 73 ++ ...x-rdp-brute-force-attack-detected.asciidoc | 71 ++ ...successful-ssh-brute-force-attack.asciidoc | 109 +++ ...potential-sudo-hijacking-detected.asciidoc | 77 ++ ...ege-escalation-via-cve-2019-14287.asciidoc | 63 ++ ...anipulation-via-process-injection.asciidoc | 77 ++ ...icious-debugfs-root-device-access.asciidoc | 69 ++ ...s-via-wildcard-injection-detected.asciidoc | 77 ++ ...-upgrade-of-non-interactive-shell.asciidoc | 69 ++ ...3-powershell-kerberos-ticket-dump.asciidoc | 89 ++ ...owershell-kerberos-ticket-request.asciidoc | 132 +++ ...11-3-powershell-keylogging-script.asciidoc | 140 ++++ ...ershell-mailbox-collection-script.asciidoc | 142 ++++ ...8-11-3-powershell-minidump-script.asciidoc | 125 +++ ...-11-3-powershell-psreflect-script.asciidoc | 159 ++++ ...-token-impersonation-capabilities.asciidoc | 114 +++ ...wershell-share-enumeration-script.asciidoc | 143 ++++ ...ery-related-windows-api-functions.asciidoc | 179 ++++ ...us-payload-encoded-and-compressed.asciidoc | 155 ++++ ...t-with-audio-capture-capabilities.asciidoc | 135 +++ ...-clipboard-retrieval-capabilities.asciidoc | 146 ++++ ...ript-with-screenshot-capabilities.asciidoc | 124 +++ ...tion-via-named-pipe-impersonation.asciidoc | 128 +++ ...ia-rogue-named-pipe-impersonation.asciidoc | 66 ++ ...-3-privileged-account-brute-force.asciidoc | 133 +++ ...s-activity-via-compiled-html-file.asciidoc | 147 ++++ ...cess-creation-via-secondary-logon.asciidoc | 79 ++ ...ecution-from-an-unusual-directory.asciidoc | 93 +++ ...-started-from-process-id-pid-file.asciidoc | 84 ++ ...gram-files-directory-masquerading.asciidoc | 69 ++ ...pt-for-credentials-with-osascript.asciidoc | 68 ++ ...e-8-11-3-rdp-enabled-via-registry.asciidoc | 130 +++ ...istry-persistence-via-appcert-dll.asciidoc | 85 ++ ...istry-persistence-via-appinit-dll.asciidoc | 148 ++++ ...bled-in-windows-firewall-by-netsh.asciidoc | 115 +++ ...emote-file-copy-to-a-hidden-share.asciidoc | 69 ++ ...3-remote-file-copy-via-teamviewer.asciidoc | 138 +++ ...oad-via-desktopimgdownldr-utility.asciidoc | 131 +++ ...remote-file-download-via-mpcmdrun.asciidoc | 129 +++ ...mote-file-download-via-powershell.asciidoc | 143 ++++ ...enamed-autoit-scripts-interpreter.asciidoc | 127 +++ ...d-task-execution-at-scale-via-gpo.asciidoc | 133 +++ ...cheduled-tasks-at-command-enabled.asciidoc | 86 ++ ...le-modified-by-unexpected-process.asciidoc | 106 +++ ...or-saved-credentials-via-vaultcmd.asciidoc | 77 ++ ...urity-software-discovery-via-grep.asciidoc | 147 ++++ ...e-enabled-by-a-suspicious-process.asciidoc | 84 ++ ...-11-3-sensitive-files-compression.asciidoc | 112 +++ ...ationprivilege-assigned-to-a-user.asciidoc | 121 +++ ...tcap-setuid-setgid-capability-set.asciidoc | 68 ++ ...ged-by-previously-unknown-process.asciidoc | 70 ++ ...oxy-execution-via-ms-work-folders.asciidoc | 108 +++ ...s-disabling-services-via-registry.asciidoc | 98 +++ ...ript-added-to-group-policy-object.asciidoc | 126 +++ ...rsistence-by-a-suspicious-process.asciidoc | 155 ++++ ...ing-activity-with-high-confidence.asciidoc | 73 ++ ...el-detected-c2-beaconing-activity.asciidoc | 73 ++ ...r-application-script-modification.asciidoc | 75 ++ ...sudo-command-enumeration-detected.asciidoc | 62 ++ ...3-suid-sguid-enumeration-detected.asciidoc | 82 ++ ...-suspicious-cmd-execution-via-wmi.asciidoc | 73 ++ ...racted-or-decompressed-via-funzip.asciidoc | 83 ++ ...ta-encryption-via-openssl-utility.asciidoc | 68 ++ ...rsistence-or-privilege-escalation.asciidoc | 170 ++++ ...-endpoint-security-parent-process.asciidoc | 74 ++ ...s-execution-from-a-mounted-device.asciidoc | 97 +++ ...ious-execution-via-scheduled-task.asciidoc | 115 +++ ...suspicious-explorer-child-process.asciidoc | 113 +++ ...us-file-changes-activity-detected.asciidoc | 64 ++ ...e-creation-in-etc-for-persistence.asciidoc | 114 +++ ...1-3-suspicious-html-file-creation.asciidoc | 99 +++ ...-load-taskschd-dll-from-ms-office.asciidoc | 86 ++ ...process-communication-via-outlook.asciidoc | 91 ++ ...1-3-suspicious-java-child-process.asciidoc | 112 +++ ...ious-lsass-access-via-malseclogon.asciidoc | 73 ++ ...3-suspicious-lsass-process-access.asciidoc | 89 ++ ...soft-diagnostics-wizard-execution.asciidoc | 78 ++ ...ous-mining-process-creation-event.asciidoc | 67 ++ ...suspicious-module-loaded-by-lsass.asciidoc | 130 +++ ...uspicious-ms-office-child-process.asciidoc | 159 ++++ ...spicious-ms-outlook-child-process.asciidoc | 158 ++++ ...3-suspicious-net-code-compilation.asciidoc | 82 ++ ...ous-net-reflection-via-powershell.asciidoc | 168 ++++ ...-by-previously-unknown-executable.asciidoc | 80 ++ ...spicious-pdf-reader-child-process.asciidoc | 145 ++++ ...able-encoded-in-powershell-script.asciidoc | 145 ++++ ...cious-print-spooler-file-deletion.asciidoc | 68 ++ ...us-print-spooler-spl-file-created.asciidoc | 149 ++++ ...-service-executable-file-creation.asciidoc | 74 ++ ...ess-access-via-direct-system-call.asciidoc | 154 ++++ ...ion-via-renamed-psexec-executable.asciidoc | 121 +++ ...rocess-spawned-from-motd-detected.asciidoc | 152 ++++ ...picious-rdp-activex-client-loaded.asciidoc | 85 ++ ...stry-access-via-sebackupprivilege.asciidoc | 128 +++ ...suspicious-renaming-of-esxi-files.asciidoc | 67 ++ ...-renaming-of-esxi-index-html-file.asciidoc | 66 ++ ...spicious-solarwinds-child-process.asciidoc | 91 ++ ...-suspicious-symbolic-link-created.asciidoc | 92 ++ ...-by-previously-unknown-executable.asciidoc | 73 ++ ...cious-termination-of-esxi-process.asciidoc | 62 ++ ...-utility-launched-via-proxychains.asciidoc | 65 ++ ...suspicious-werfault-child-process.asciidoc | 101 +++ ...ous-wmi-image-load-from-ms-office.asciidoc | 68 ++ ...-rule-8-11-3-svchost-spawning-cmd.asciidoc | 123 +++ ...bolic-link-to-shadow-copy-created.asciidoc | 128 +++ ...-or-moved-to-suspicious-directory.asciidoc | 93 +++ ...e-8-11-3-system-log-file-deletion.asciidoc | 83 ++ ...ring-of-bash-command-line-history.asciidoc | 76 ++ ...es-deleted-via-unexpected-process.asciidoc | 133 +++ ...threat-intel-hash-indicator-match.asciidoc | 116 +++ ...-intel-ip-address-indicator-match.asciidoc | 118 +++ ...-threat-intel-url-indicator-match.asciidoc | 121 +++ ...-windows-registry-indicator-match.asciidoc | 111 +++ ...-timestomping-using-touch-command.asciidoc | 68 ++ ...nternet-explorer-add-on-installer.asciidoc | 100 +++ ...eged-ifileoperation-com-interface.asciidoc | 95 +++ ...ia-windows-directory-masquerading.asciidoc | 153 ++++ ...ademanager-elevated-com-interface.asciidoc | 98 +++ ...diskcleanup-scheduled-task-hijack.asciidoc | 97 +++ ...icmluautil-elevated-com-interface.asciidoc | 96 +++ ...a-windows-firewall-snap-in-hijack.asciidoc | 156 ++++ ...ocess-of-macos-screensaver-engine.asciidoc | 82 ++ ...-loading-from-a-suspicious-folder.asciidoc | 153 ++++ ...ess-from-a-system-virtual-process.asciidoc | 65 ++ ...-unusual-child-process-of-dns-exe.asciidoc | 115 +++ ...tion-by-a-system-critical-process.asciidoc | 141 ++++ ...le-creation-alternate-data-stream.asciidoc | 191 +++++ ...sual-file-modification-by-dns-exe.asciidoc | 85 ++ ...unusual-parent-child-relationship.asciidoc | 158 ++++ ...nusual-parent-process-for-cmd-exe.asciidoc | 89 ++ ...usual-print-spooler-child-process.asciidoc | 75 ++ ...cution-path-alternate-data-stream.asciidoc | 68 ++ ...t-child-process-childless-service.asciidoc | 99 +++ ...user-privilege-enumeration-via-id.asciidoc | 62 ++ ...rule-8-11-3-user-account-creation.asciidoc | 112 +++ ...-account-exposed-to-kerberoasting.asciidoc | 119 +++ ...-3-user-added-to-privileged-group.asciidoc | 111 +++ ...l-machine-fingerprinting-via-grep.asciidoc | 66 ++ ...-3-virtual-machine-fingerprinting.asciidoc | 68 ++ ...rivate-network-connection-attempt.asciidoc | 69 ++ ...y-deleted-or-resized-via-vssadmin.asciidoc | 132 +++ ...adow-copy-deletion-via-powershell.asciidoc | 151 ++++ ...ume-shadow-copy-deletion-via-wmic.asciidoc | 141 ++++ ...ess-child-of-common-web-processes.asciidoc | 159 ++++ ...1-3-webserver-access-logs-deleted.asciidoc | 69 ++ ...le-8-11-3-whoami-process-activity.asciidoc | 122 +++ ...isabled-via-registry-modification.asciidoc | 144 ++++ ...r-exclusions-added-via-powershell.asciidoc | 144 ++++ ...-firewall-disabled-via-powershell.asciidoc | 131 +++ ...gistry-file-creation-in-smb-share.asciidoc | 129 +++ ...ndows-script-executing-powershell.asciidoc | 144 ++++ ...e-installed-via-an-unusual-client.asciidoc | 69 ++ ...1-3-zoom-meeting-with-no-passcode.asciidoc | 61 ++ .../prebuilt-rules-8-11-3-appendix.asciidoc | 376 +++++++++ .../prebuilt-rules-8-11-3-summary.asciidoc | 752 +++++++++++++++++ ...ebuilt-rules-downloadable-updates.asciidoc | 5 + .../prebuilt-rules-reference.asciidoc | 786 +++++++++--------- .../prebuilt-rules/rule-desc-index.asciidoc | 6 + ...l-process-id-or-lock-file-created.asciidoc | 2 +- ...ess-of-stored-browser-credentials.asciidoc | 13 +- ...ess-to-a-sensitive-ldap-attribute.asciidoc | 22 +- ...-keychain-credentials-directories.asciidoc | 10 +- ...ured-with-never-expiring-password.asciidoc | 4 +- ...covery-command-via-system-account.asciidoc | 4 +- ...-hidden-file-attribute-via-attrib.asciidoc | 2 +- .../adfind-command-activity.asciidoc | 4 +- ...insdholder-sdprop-exclusion-added.asciidoc | 4 +- .../adobe-hijack-persistence.asciidoc | 7 +- ...-process-for-a-windows-population.asciidoc | 2 +- ...nomalous-windows-process-creation.asciidoc | 2 +- ...ion-with-administrator-privileges.asciidoc | 10 +- ...tempt-to-clear-kernel-ring-buffer.asciidoc | 72 ++ ...t-to-disable-iptables-or-firewall.asciidoc | 2 +- ...attempt-to-disable-syslog-service.asciidoc | 2 +- ...-mount-smb-share-via-command-line.asciidoc | 10 +- ...-remove-file-quarantine-attribute.asciidoc | 10 +- ...base32-encoding-decoding-activity.asciidoc | 2 +- ...uted-from-shared-memory-directory.asciidoc | 2 +- .../bpf-filter-applied-using-tc.asciidoc | 2 +- .../bypass-uac-via-event-viewer.asciidoc | 6 +- .../chkconfig-service-add.asciidoc | 2 +- .../clearing-windows-console-history.asciidoc | 4 +- .../clearing-windows-event-logs.asciidoc | 4 +- ...dification-through-built-in-tools.asciidoc | 2 +- ...icy-modification-through-registry.asciidoc | 2 +- ...-execution-via-solarwinds-process.asciidoc | 10 +- ...command-prompt-network-connection.asciidoc | 2 +- ...ell-activity-started-via-rundll32.asciidoc | 10 +- .../component-object-model-hijacking.asciidoc | 5 +- ...wned-by-suspicious-parent-process.asciidoc | 4 +- ...ed-free-ssl-certificate-providers.asciidoc | 10 +- ...n-to-commonly-abused-web-services.asciidoc | 50 +- ...on-to-external-network-via-telnet.asciidoc | 2 +- ...on-to-internal-network-via-telnet.asciidoc | 2 +- ...el-process-with-unusual-arguments.asciidoc | 10 +- ...on-of-a-hidden-local-user-account.asciidoc | 6 +- ...s-and-directories-via-commandline.asciidoc | 2 +- ...-of-hidden-launch-agent-or-daemon.asciidoc | 10 +- ...idden-login-item-via-apple-script.asciidoc | 10 +- ...tion-of-hidden-shared-object-file.asciidoc | 2 +- ...new-gpo-scheduled-task-or-service.asciidoc | 10 +- ...f-domain-backup-dpapi-private-key.asciidoc | 4 +- ...-modification-of-root-certificate.asciidoc | 4 +- ...isition-via-registry-hive-dumping.asciidoc | 4 +- ...ged-by-previously-unknown-process.asciidoc | 2 +- ...ting-backup-catalogs-with-wbadmin.asciidoc | 4 +- ...ell-via-suspicious-parent-process.asciidoc | 2 +- .../direct-outbound-smb-connection.asciidoc | 2 +- ...ecurity-logs-using-built-in-tools.asciidoc | 4 +- ...-windows-firewall-rules-via-netsh.asciidoc | 4 +- ...control-via-registry-modification.asciidoc | 4 +- ...-security-settings-via-powershell.asciidoc | 4 +- ...s-over-https-enabled-via-registry.asciidoc | 10 +- ...hain-content-via-security-command.asciidoc | 10 +- .../rule-details/dynamic-linker-copy.asciidoc | 2 +- .../elastic-agent-service-terminated.asciidoc | 10 +- ...nd-rules-creation-or-modification.asciidoc | 10 +- ...-host-network-discovery-via-netsh.asciidoc | 4 +- ...ncrypting-files-with-winrar-or-7z.asciidoc | 34 +- ...tion-command-spawned-via-wmiprvse.asciidoc | 10 +- ...eration-of-administrator-accounts.asciidoc | 4 +- ...ration-of-kernel-modules-via-proc.asciidoc | 24 +- .../enumeration-of-kernel-modules.asciidoc | 2 +- ...rivileged-local-groups-membership.asciidoc | 20 +- ...s-or-groups-via-built-in-commands.asciidoc | 10 +- .../esxi-discovery-via-find.asciidoc | 2 +- .../esxi-discovery-via-grep.asciidoc | 2 +- ...-timestomping-using-touch-command.asciidoc | 2 +- ...creation-with-multiple-extensions.asciidoc | 10 +- ...om-unusual-directory-command-line.asciidoc | 6 +- ...ecution-of-com-object-via-xwizard.asciidoc | 10 +- ...ution-via-local-sxs-shared-module.asciidoc | 4 +- ...ssql-xp-cmdshell-stored-procedure.asciidoc | 4 +- ...execution-via-tsclient-mountpoint.asciidoc | 10 +- ...g-exchange-mailbox-via-powershell.asciidoc | 4 +- ...-deletion-in-suspicious-directory.asciidoc | 2 +- .../file-deletion-via-shred.asciidoc | 2 +- .../file-made-immutable-by-chattr.asciidoc | 2 +- ...odification-in-writable-directory.asciidoc | 2 +- ...r-listener-established-via-netcat.asciidoc | 2 +- ...value-accessed-in-secrets-manager.asciidoc | 2 +- .../first-time-seen-driver-loaded.asciidoc | 2 +- ...me-seen-account-performing-dcsync.asciidoc | 4 +- ...licy-abuse-for-privilege-addition.asciidoc | 4 +- ...gh-number-of-process-terminations.asciidoc | 2 +- .../rule-details/hosts-file-modified.asciidoc | 4 +- .../hping-process-activity.asciidoc | 2 +- .../iis-http-logging-disabled.asciidoc | 4 +- ...windows-update-auto-update-client.asciidoc | 10 +- ...ingress-transfer-via-windows-bits.asciidoc | 21 +- ...tion-of-security-support-provider.asciidoc | 10 +- ...ractive-terminal-spawned-via-perl.asciidoc | 2 +- ...ctive-terminal-spawned-via-python.asciidoc | 2 +- ...-authentication-disabled-for-user.asciidoc | 4 +- ...eros-traffic-from-unusual-process.asciidoc | 91 +- .../rule-details/kernel-driver-load.asciidoc | 74 ++ ...load-or-unload-via-kexec-detected.asciidoc | 2 +- .../kernel-module-load-via-insmod.asciidoc | 2 +- .../kernel-module-removal.asciidoc | 2 +- ...ssword-retrieval-via-command-line.asciidoc | 10 +- .../krbtgt-delegation-backdoor.asciidoc | 10 +- ...teral-movement-via-startup-folder.asciidoc | 10 +- .../linux-group-creation.asciidoc | 7 +- ...ux-init-pid-1-secret-dump-via-gdb.asciidoc | 2 +- ...shell-breakout-via-linux-binary-s.asciidoc | 2 +- .../linux-user-account-creation.asciidoc | 7 +- ...ux-user-added-to-privileged-group.asciidoc | 6 +- .../lsass-memory-dump-creation.asciidoc | 36 +- .../lsass-memory-dump-handle-access.asciidoc | 24 +- ...ss-process-access-via-windows-api.asciidoc | 70 +- ...masquerading-space-after-filename.asciidoc | 10 +- ...engine-started-an-unusual-process.asciidoc | 10 +- ...ngine-started-by-a-script-process.asciidoc | 2 +- ...ngine-started-by-a-system-process.asciidoc | 10 +- ...-started-by-an-office-application.asciidoc | 4 +- ...ld-engine-using-an-alternate-name.asciidoc | 6 +- ...-um-spawning-suspicious-processes.asciidoc | 10 +- ...erver-um-writing-suspicious-files.asciidoc | 5 +- ...ge-transport-agent-install-script.asciidoc | 10 +- ...ker-spawning-suspicious-processes.asciidoc | 10 +- ...iis-connection-strings-decryption.asciidoc | 10 +- ...s-service-account-password-dumped.asciidoc | 10 +- ...rosoft-windows-defender-tampering.asciidoc | 4 +- ...mimikatz-memssp-log-file-detected.asciidoc | 4 +- ...cation-of-amsienable-registry-key.asciidoc | 4 +- ...odification-of-boot-configuration.asciidoc | 4 +- ...amic-linker-preload-shared-object.asciidoc | 2 +- .../modification-of-openssh-binaries.asciidoc | 2 +- ...on-of-the-mspkiaccountcredentials.asciidoc | 10 +- ...tion-of-wdigest-security-provider.asciidoc | 4 +- ...ng-hidden-or-webdav-remote-shares.asciidoc | 10 +- ...o-security-registry-modifications.asciidoc | 5 +- ...sbuild-making-network-connections.asciidoc | 2 +- ...failure-followed-by-logon-success.asciidoc | 6 +- ...lure-from-the-same-source-address.asciidoc | 6 +- ...ltiple-vault-web-credentials-read.asciidoc | 10 +- ...espace-manipulation-using-unshare.asciidoc | 2 +- ...t-listener-established-via-rlwrap.asciidoc | 2 +- ...network-activity-detected-via-cat.asciidoc | 2 +- ...ork-activity-detected-via-kworker.asciidoc | 76 ++ .../network-connection-via-certutil.asciidoc | 20 +- ...connection-via-compiled-html-file.asciidoc | 2 +- ...-via-recently-compiled-executable.asciidoc | 2 +- ...nnection-via-registration-utility.asciidoc | 2 +- ...work-connection-via-signed-binary.asciidoc | 2 +- ...on-provider-registry-modification.asciidoc | 28 +- ...oweddeviceid-added-via-powershell.asciidoc | 10 +- ...ted-by-previously-unknown-process.asciidoc | 2 +- .../new-systemd-timer-created.asciidoc | 6 +- .../nping-process-activity.asciidoc | 2 +- .../ntds-or-sam-database-file-copied.asciidoc | 10 +- .../peripheral-device-discovery.asciidoc | 4 +- ...tence-via-bits-job-notify-cmdline.asciidoc | 10 +- ...tence-via-hidden-run-key-detected.asciidoc | 10 +- ...ript-or-desktop-file-modification.asciidoc | 2 +- ...sistence-via-login-or-logout-hook.asciidoc | 10 +- ...tence-via-microsoft-office-addins.asciidoc | 10 +- ...istence-via-microsoft-outlook-vba.asciidoc | 10 +- ...stence-via-scheduled-job-creation.asciidoc | 10 +- ...ycontroller-scheduled-task-hijack.asciidoc | 10 +- ...pdate-orchestrator-service-hijack.asciidoc | 6 +- ...stence-via-wmi-event-subscription.asciidoc | 10 +- ...-scripts-in-the-startup-directory.asciidoc | 6 +- .../port-forwarding-rule-addition.asciidoc | 5 +- ...n-interface-bypass-via-powershell.asciidoc | 2 +- ...-application-shimming-via-sdbinst.asciidoc | 10 +- ...ial-code-execution-via-postgresql.asciidoc | 2 +- ...okies-theft-via-browser-debugging.asciidoc | 10 +- ...tial-credential-access-via-dcsync.asciidoc | 9 +- ...cess-via-duplicatehandle-in-lsass.asciidoc | 10 +- ...tial-access-via-lsass-memory-dump.asciidoc | 16 +- ...cess-via-renamed-com-services-dll.asciidoc | 10 +- ...ess-via-trusted-developer-utility.asciidoc | 2 +- ...tial-access-via-windows-utilities.asciidoc | 4 +- ...-curl-cve-2023-38545-exploitation.asciidoc | 2 +- ...tential-defense-evasion-via-proot.asciidoc | 2 +- .../potential-disabling-of-apparmor.asciidoc | 2 +- .../potential-disabling-of-selinux.asciidoc | 2 +- ...ft-antimalware-service-executable.asciidoc | 10 +- ...ng-via-trusted-microsoft-programs.asciidoc | 10 +- ...ential-dns-tunneling-via-nslookup.asciidoc | 8 +- ...ential-evasion-via-filter-manager.asciidoc | 2 +- ...al-linux-ssh-brute-force-detected.asciidoc | 2 +- ...-hidden-process-via-mount-hidepid.asciidoc | 2 +- ...al-linux-ssh-brute-force-detected.asciidoc | 2 +- ...invoke-mimikatz-powershell-script.asciidoc | 4 +- ...ux-backdoor-user-account-creation.asciidoc | 6 +- ...ntial-dumping-via-proc-filesystem.asciidoc | 2 +- ...x-credential-dumping-via-unshadow.asciidoc | 2 +- ...otential-linux-hack-tool-launched.asciidoc | 2 +- ...ocal-account-brute-force-detected.asciidoc | 2 +- ...ransomware-note-creation-detected.asciidoc | 2 +- ...-tunneling-and-or-port-forwarding.asciidoc | 2 +- ...e-creation-via-psscapturesnapshot.asciidoc | 10 +- ...emory-dump-via-psscapturesnapshot.asciidoc | 10 +- ...file-downloaded-from-google-drive.asciidoc | 50 +- ...tential-meterpreter-reverse-shell.asciidoc | 2 +- ...ication-of-accessibility-binaries.asciidoc | 7 +- ...l-network-scan-executed-from-host.asciidoc | 2 +- ...openssh-backdoor-logging-activity.asciidoc | 2 +- ...rsistence-through-init-d-detected.asciidoc | 6 +- ...rough-motd-file-creation-detected.asciidoc | 6 +- ...ence-through-run-control-detected.asciidoc | 6 +- ...hacktool-script-by-function-names.asciidoc | 10 +- ...-bypass-via-localhost-secure-copy.asciidoc | 10 +- ...rol-bypass-via-tccdb-modification.asciidoc | 10 +- ...on-through-writable-docker-socket.asciidoc | 2 +- ...on-via-container-misconfiguration.asciidoc | 2 +- ...lege-escalation-via-cve-2023-4911.asciidoc | 2 +- ...alation-via-installerfiletakeover.asciidoc | 6 +- ...rivilege-escalation-via-overlayfs.asciidoc | 2 +- ...l-privilege-escalation-via-pkexec.asciidoc | 2 +- ...-escalation-via-python-cap-setuid.asciidoc | 2 +- ...-via-recently-compiled-executable.asciidoc | 2 +- ...tion-via-uid-int-max-bug-detected.asciidoc | 2 +- ...ation-via-samaccountname-spoofing.asciidoc | 10 +- ...-process-injection-via-powershell.asciidoc | 4 +- ...tocol-tunneling-via-chisel-client.asciidoc | 2 +- ...tocol-tunneling-via-chisel-server.asciidoc | 2 +- ...-protocol-tunneling-via-earthworm.asciidoc | 2 +- ...-pspy-process-monitoring-detected.asciidoc | 2 +- ...ote-code-execution-via-web-server.asciidoc | 6 +- ...te-credential-access-via-registry.asciidoc | 6 +- ...remote-desktop-shadowing-activity.asciidoc | 10 +- ...remote-desktop-tunneling-detected.asciidoc | 5 +- ...verse-shell-activity-via-terminal.asciidoc | 4 +- ...erse-shell-via-background-process.asciidoc | 2 +- .../potential-reverse-shell-via-java.asciidoc | 2 +- ...verse-shell-via-suspicious-binary.asciidoc | 2 +- ...hell-via-suspicious-child-process.asciidoc | 2 +- .../potential-reverse-shell-via-udp.asciidoc | 2 +- .../potential-reverse-shell.asciidoc | 2 +- ...ow-credentials-added-to-ad-object.asciidoc | 4 +- ...e-read-via-command-line-utilities.asciidoc | 2 +- ...l-via-wildcard-injection-detected.asciidoc | 2 +- ...ential-ssh-it-ssh-worm-downloaded.asciidoc | 2 +- ...x-ftp-brute-force-attack-detected.asciidoc | 2 +- ...x-rdp-brute-force-attack-detected.asciidoc | 2 +- ...successful-ssh-brute-force-attack.asciidoc | 2 +- ...potential-sudo-hijacking-detected.asciidoc | 2 +- ...ege-escalation-via-cve-2019-14287.asciidoc | 2 +- ...anipulation-via-process-injection.asciidoc | 2 +- ...icious-debugfs-root-device-access.asciidoc | 2 +- ...s-via-wildcard-injection-detected.asciidoc | 2 +- ...-upgrade-of-non-interactive-shell.asciidoc | 2 +- ...indows-error-manager-masquerading.asciidoc | 2 +- .../powershell-kerberos-ticket-dump.asciidoc | 10 +- ...owershell-kerberos-ticket-request.asciidoc | 6 +- .../powershell-keylogging-script.asciidoc | 4 +- ...ershell-mailbox-collection-script.asciidoc | 4 +- .../powershell-minidump-script.asciidoc | 4 +- .../powershell-psreflect-script.asciidoc | 6 +- ...-archive-compression-capabilities.asciidoc | 10 +- ...cript-with-discovery-capabilities.asciidoc | 10 +- ...cript-with-log-clear-capabilities.asciidoc | 10 +- ...ord-policy-discovery-capabilities.asciidoc | 10 +- ...-execution-capabilities-via-winrm.asciidoc | 10 +- ...-token-impersonation-capabilities.asciidoc | 10 +- ...webcam-video-capture-capabilities.asciidoc | 10 +- ...wershell-share-enumeration-script.asciidoc | 4 +- ...ery-related-windows-api-functions.asciidoc | 4 +- ...us-payload-encoded-and-compressed.asciidoc | 6 +- ...t-with-audio-capture-capabilities.asciidoc | 4 +- ...-clipboard-retrieval-capabilities.asciidoc | 4 +- ...ript-with-screenshot-capabilities.asciidoc | 4 +- ...tion-via-named-pipe-impersonation.asciidoc | 6 +- ...ia-rogue-named-pipe-impersonation.asciidoc | 13 +- .../privileged-account-brute-force.asciidoc | 6 +- ...s-activity-via-compiled-html-file.asciidoc | 6 +- ...cess-creation-via-secondary-logon.asciidoc | 10 +- ...ecution-from-an-unusual-directory.asciidoc | 10 +- ...-started-from-process-id-pid-file.asciidoc | 2 +- ...-termination-followed-by-deletion.asciidoc | 2 +- ...gram-files-directory-masquerading.asciidoc | 10 +- ...pt-for-credentials-with-osascript.asciidoc | 10 +- ...script-execution-via-command-line.asciidoc | 8 - .../rdp-enabled-via-registry.asciidoc | 4 +- ...istry-persistence-via-appcert-dll.asciidoc | 10 +- ...istry-persistence-via-appinit-dll.asciidoc | 6 +- ...bled-in-windows-firewall-by-netsh.asciidoc | 4 +- .../remote-execution-via-file-shares.asciidoc | 6 +- ...emote-file-copy-to-a-hidden-share.asciidoc | 10 +- .../remote-file-copy-via-teamviewer.asciidoc | 19 +- ...oad-via-desktopimgdownldr-utility.asciidoc | 7 +- ...remote-file-download-via-mpcmdrun.asciidoc | 6 +- ...mote-file-download-via-powershell.asciidoc | 25 +- ...e-download-via-script-interpreter.asciidoc | 2 +- .../remote-system-discovery-commands.asciidoc | 4 +- ...remotely-started-services-via-rpc.asciidoc | 2 +- ...enamed-autoit-scripts-interpreter.asciidoc | 6 +- ...-executed-with-short-program-name.asciidoc | 2 +- ...d-task-execution-at-scale-via-gpo.asciidoc | 4 +- ...cheduled-tasks-at-command-enabled.asciidoc | 10 +- ...le-modified-by-unexpected-process.asciidoc | 4 +- ...or-saved-credentials-via-vaultcmd.asciidoc | 10 +- ...ity-software-discovery-using-wmic.asciidoc | 4 +- ...urity-software-discovery-via-grep.asciidoc | 4 +- ...e-enabled-by-a-suspicious-process.asciidoc | 10 +- .../rule-details/segfault-detected.asciidoc | 55 ++ .../sensitive-files-compression.asciidoc | 2 +- ...ationprivilege-assigned-to-a-user.asciidoc | 4 +- ...ol-spawned-via-script-interpreter.asciidoc | 2 +- ...tcap-setuid-setgid-capability-set.asciidoc | 2 +- ...ged-by-previously-unknown-process.asciidoc | 2 +- ...oxy-execution-via-ms-work-folders.asciidoc | 4 +- ...s-disabling-services-via-registry.asciidoc | 10 +- ...-persistence-via-unsigned-process.asciidoc | 2 +- ...ript-added-to-group-policy-object.asciidoc | 4 +- ...-or-run-key-registry-modification.asciidoc | 2 +- ...rsistence-by-a-suspicious-process.asciidoc | 6 +- ...ing-activity-with-high-confidence.asciidoc | 73 ++ ...el-detected-c2-beaconing-activity.asciidoc | 73 ++ ...r-application-script-modification.asciidoc | 10 +- ...sudo-command-enumeration-detected.asciidoc | 2 +- .../suid-sguid-enumeration-detected.asciidoc | 2 +- ...urst-command-and-control-activity.asciidoc | 2 +- ...us-antimalware-scan-interface-dll.asciidoc | 2 +- .../suspicious-certutil-commands.asciidoc | 2 +- .../suspicious-cmd-execution-via-wmi.asciidoc | 10 +- ...racted-or-decompressed-via-funzip.asciidoc | 2 +- ...ta-encryption-via-openssl-utility.asciidoc | 2 +- ...rsistence-or-privilege-escalation.asciidoc | 4 +- ...-endpoint-security-parent-process.asciidoc | 10 +- ...s-execution-from-a-mounted-device.asciidoc | 10 +- ...ious-execution-via-scheduled-task.asciidoc | 10 +- ...suspicious-explorer-child-process.asciidoc | 10 +- ...us-file-changes-activity-detected.asciidoc | 2 +- ...e-creation-in-etc-for-persistence.asciidoc | 2 +- .../suspicious-html-file-creation.asciidoc | 10 +- ...-load-taskschd-dll-from-ms-office.asciidoc | 10 +- ...process-communication-via-outlook.asciidoc | 20 +- .../suspicious-java-child-process.asciidoc | 4 +- ...ious-lsass-access-via-malseclogon.asciidoc | 10 +- .../suspicious-lsass-process-access.asciidoc | 43 +- ...ious-managed-code-hosting-process.asciidoc | 4 +- ...soft-diagnostics-wizard-execution.asciidoc | 10 +- ...ous-mining-process-creation-event.asciidoc | 2 +- .../suspicious-modprobe-file-event.asciidoc | 29 +- ...suspicious-module-loaded-by-lsass.asciidoc | 10 +- ...uspicious-ms-office-child-process.asciidoc | 4 +- ...spicious-ms-outlook-child-process.asciidoc | 4 +- .../suspicious-net-code-compilation.asciidoc | 10 +- ...ous-net-reflection-via-powershell.asciidoc | 6 +- ...-by-previously-unknown-executable.asciidoc | 2 +- ...spicious-pdf-reader-child-process.asciidoc | 4 +- ...able-encoded-in-powershell-script.asciidoc | 6 +- ...cious-print-spooler-file-deletion.asciidoc | 10 +- ...us-print-spooler-spl-file-created.asciidoc | 6 +- ...-service-executable-file-creation.asciidoc | 10 +- ...oc-pseudo-file-system-enumeration.asciidoc | 28 +- ...ess-access-via-direct-system-call.asciidoc | 6 +- ...ion-via-renamed-psexec-executable.asciidoc | 4 +- ...rocess-spawned-from-motd-detected.asciidoc | 6 +- ...picious-rdp-activex-client-loaded.asciidoc | 10 +- ...stry-access-via-sebackupprivilege.asciidoc | 4 +- ...suspicious-renaming-of-esxi-files.asciidoc | 2 +- ...-renaming-of-esxi-index-html-file.asciidoc | 2 +- ...rvice-was-installed-in-the-system.asciidoc | 2 +- ...spicious-solarwinds-child-process.asciidoc | 10 +- ...startup-shell-folder-modification.asciidoc | 2 +- .../suspicious-symbolic-link-created.asciidoc | 2 +- .../suspicious-sysctl-file-event.asciidoc | 30 +- ...-by-previously-unknown-executable.asciidoc | 2 +- ...cious-termination-of-esxi-process.asciidoc | 2 +- ...-utility-launched-via-proxychains.asciidoc | 2 +- ...suspicious-werfault-child-process.asciidoc | 12 +- ...ous-wmi-image-load-from-ms-office.asciidoc | 10 +- .../suspicious-zoom-child-process.asciidoc | 2 +- .../svchost-spawning-cmd.asciidoc | 6 +- ...bolic-link-to-shadow-copy-created.asciidoc | 22 +- ...-or-moved-to-suspicious-directory.asciidoc | 2 +- ...scovery-via-windows-command-shell.asciidoc | 4 +- .../system-log-file-deletion.asciidoc | 2 +- .../system-shells-via-services.asciidoc | 2 +- .../tainted-kernel-module-load.asciidoc | 14 +- ...ring-of-bash-command-line-history.asciidoc | 10 +- ...es-deleted-via-unexpected-process.asciidoc | 4 +- ...threat-intel-hash-indicator-match.asciidoc | 6 +- ...-intel-ip-address-indicator-match.asciidoc | 6 +- .../threat-intel-url-indicator-match.asciidoc | 6 +- ...-windows-registry-indicator-match.asciidoc | 6 +- .../timestomping-using-touch-command.asciidoc | 10 +- ...nternet-explorer-add-on-installer.asciidoc | 10 +- ...eged-ifileoperation-com-interface.asciidoc | 10 +- ...ia-windows-directory-masquerading.asciidoc | 6 +- ...ademanager-elevated-com-interface.asciidoc | 10 +- ...diskcleanup-scheduled-task-hijack.asciidoc | 10 +- ...icmluautil-elevated-com-interface.asciidoc | 10 +- ...a-windows-firewall-snap-in-hijack.asciidoc | 6 +- ...ocess-of-macos-screensaver-engine.asciidoc | 4 +- ...-loading-from-a-suspicious-folder.asciidoc | 10 +- .../untrusted-driver-loaded.asciidoc | 2 +- ...ess-from-a-system-virtual-process.asciidoc | 10 +- .../unusual-child-process-of-dns-exe.asciidoc | 4 +- ...tion-by-a-system-critical-process.asciidoc | 6 +- ...le-creation-alternate-data-stream.asciidoc | 6 +- ...sual-file-modification-by-dns-exe.asciidoc | 4 +- ...vity-from-a-windows-system-binary.asciidoc | 2 +- ...unusual-parent-child-relationship.asciidoc | 6 +- ...nusual-parent-process-for-cmd-exe.asciidoc | 10 +- ...usual-print-spooler-child-process.asciidoc | 10 +- ...cution-path-alternate-data-stream.asciidoc | 10 +- ...nusual-process-for-a-windows-host.asciidoc | 2 +- ...t-child-process-childless-service.asciidoc | 10 +- ...user-privilege-enumeration-via-id.asciidoc | 2 +- .../user-account-creation.asciidoc | 4 +- ...-account-exposed-to-kerberoasting.asciidoc | 5 +- .../user-added-to-privileged-group.asciidoc | 4 +- ...l-machine-fingerprinting-via-grep.asciidoc | 10 +- .../virtual-machine-fingerprinting.asciidoc | 2 +- ...rivate-network-connection-attempt.asciidoc | 10 +- ...y-deleted-or-resized-via-vssadmin.asciidoc | 5 +- ...adow-copy-deletion-via-powershell.asciidoc | 5 +- ...ume-shadow-copy-deletion-via-wmic.asciidoc | 5 +- ...ess-child-of-common-web-processes.asciidoc | 4 +- .../webserver-access-logs-deleted.asciidoc | 10 +- .../whoami-process-activity.asciidoc | 4 +- ...isabled-via-registry-modification.asciidoc | 4 +- ...r-exclusions-added-via-powershell.asciidoc | 4 +- ...-firewall-disabled-via-powershell.asciidoc | 4 +- .../windows-network-enumeration.asciidoc | 4 +- ...gistry-file-creation-in-smb-share.asciidoc | 10 +- ...ndows-script-executing-powershell.asciidoc | 4 +- ...e-installed-via-an-unusual-client.asciidoc | 10 +- ...ntial-dumping-using-netsh-command.asciidoc | 2 +- .../zoom-meeting-with-no-passcode.asciidoc | 10 +- docs/index.asciidoc | 2 + 804 files changed, 40606 insertions(+), 2180 deletions(-) create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-abnormal-process-id-or-lock-file-created.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-access-of-stored-browser-credentials.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-access-to-a-sensitive-ldap-attribute.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-access-to-keychain-credentials-directories.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-account-discovery-command-via-system-account.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-adfind-command-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-adminsdholder-sdprop-exclusion-added.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-adobe-hijack-persistence.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-apple-scripting-execution-with-administrator-privileges.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-attempt-to-clear-kernel-ring-buffer.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-attempt-to-disable-iptables-or-firewall.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-attempt-to-disable-syslog-service.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-attempt-to-mount-smb-share-via-command-line.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-attempt-to-remove-file-quarantine-attribute.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-base16-or-base32-encoding-decoding-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-binary-executed-from-shared-memory-directory.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-bpf-filter-applied-using-tc.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-bypass-uac-via-event-viewer.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-chkconfig-service-add.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-clearing-windows-console-history.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-clearing-windows-event-logs.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-command-execution-via-solarwinds-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-command-shell-activity-started-via-rundll32.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-component-object-model-hijacking.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-conhost-spawned-by-suspicious-parent-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-connection-to-commonly-abused-free-ssl-certificate-providers.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-connection-to-commonly-abused-web-services.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-connection-to-external-network-via-telnet.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-connection-to-internal-network-via-telnet.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-control-panel-process-with-unusual-arguments.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-creation-of-a-hidden-local-user-account.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-creation-of-hidden-files-and-directories-via-commandline.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-creation-of-hidden-launch-agent-or-daemon.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-creation-of-hidden-login-item-via-apple-script.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-creation-of-hidden-shared-object-file.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-creation-or-modification-of-a-new-gpo-scheduled-task-or-service.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-creation-or-modification-of-domain-backup-dpapi-private-key.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-creation-or-modification-of-root-certificate.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-credential-acquisition-via-registry-hive-dumping.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-cron-job-created-or-changed-by-previously-unknown-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-deleting-backup-catalogs-with-wbadmin.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-deprecated-potential-reverse-shell-via-suspicious-parent-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-disable-windows-event-and-security-logs-using-built-in-tools.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-disable-windows-firewall-rules-via-netsh.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-disabling-user-account-control-via-registry-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-disabling-windows-defender-security-settings-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-dns-over-https-enabled-via-registry.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-dumping-of-keychain-content-via-security-command.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-dynamic-linker-copy.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-elastic-agent-service-terminated.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-emond-rules-creation-or-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-enable-host-network-discovery-via-netsh.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-encrypting-files-with-winrar-or-7z.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-enumeration-command-spawned-via-wmiprvse.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-enumeration-of-administrator-accounts.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-enumeration-of-kernel-modules.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-enumeration-of-privileged-local-groups-membership.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-enumeration-of-users-or-groups-via-built-in-commands.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-esxi-discovery-via-find.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-esxi-discovery-via-grep.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-esxi-timestomping-using-touch-command.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-executable-file-creation-with-multiple-extensions.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-execution-from-unusual-directory-command-line.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-execution-of-com-object-via-xwizard.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-execution-via-local-sxs-shared-module.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-execution-via-mssql-xp-cmdshell-stored-procedure.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-execution-via-tsclient-mountpoint.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-exporting-exchange-mailbox-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-file-creation-execution-and-self-deletion-in-suspicious-directory.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-file-deletion-via-shred.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-file-made-immutable-by-chattr.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-file-permission-modification-in-writable-directory.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-file-transfer-or-listener-established-via-netcat.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-firsttime-seen-account-performing-dcsync.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-group-policy-abuse-for-privilege-addition.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-high-number-of-process-terminations.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-hosts-file-modified.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-hping-process-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-iis-http-logging-disabled.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-imageload-via-windows-update-auto-update-client.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-ingress-transfer-via-windows-bits.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-installation-of-security-support-provider.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-interactive-terminal-spawned-via-perl.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-interactive-terminal-spawned-via-python.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-kerberos-pre-authentication-disabled-for-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-kerberos-traffic-from-unusual-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-kernel-load-or-unload-via-kexec-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-kernel-module-load-via-insmod.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-kernel-module-removal.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-keychain-password-retrieval-via-command-line.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-krbtgt-delegation-backdoor.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-lateral-movement-via-startup-folder.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-linux-group-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-linux-init-pid-1-secret-dump-via-gdb.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-linux-restricted-shell-breakout-via-linux-binary-s.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-linux-user-account-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-linux-user-added-to-privileged-group.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-lsass-memory-dump-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-lsass-memory-dump-handle-access.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-lsass-process-access-via-windows-api.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-masquerading-space-after-filename.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-build-engine-started-an-unusual-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-build-engine-started-by-a-script-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-build-engine-started-by-a-system-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-build-engine-started-by-an-office-application.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-build-engine-using-an-alternate-name.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-exchange-server-um-spawning-suspicious-processes.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-exchange-server-um-writing-suspicious-files.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-exchange-worker-spawning-suspicious-processes.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-iis-connection-strings-decryption.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-iis-service-account-password-dumped.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-windows-defender-tampering.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-mimikatz-memssp-log-file-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-modification-of-amsienable-registry-key.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-modification-of-boot-configuration.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-modification-of-dynamic-linker-preload-shared-object.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-modification-of-openssh-binaries.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-modification-of-the-mspkiaccountcredentials.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-modification-of-wdigest-security-provider.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-mounting-hidden-or-webdav-remote-shares.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-ms-office-macro-security-registry-modifications.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-multiple-logon-failure-followed-by-logon-success.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-multiple-logon-failure-from-the-same-source-address.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-multiple-vault-web-credentials-read.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-namespace-manipulation-using-unshare.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-netcat-listener-established-via-rlwrap.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-network-activity-detected-via-cat.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-network-activity-detected-via-kworker.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-network-connection-via-recently-compiled-executable.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-network-logon-provider-registry-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-new-activesyncalloweddeviceid-added-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-new-systemd-service-created-by-previously-unknown-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-new-systemd-timer-created.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-nping-process-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-ntds-or-sam-database-file-copied.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-peripheral-device-discovery.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-bits-job-notify-cmdline.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-hidden-run-key-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-kde-autostart-script-or-desktop-file-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-login-or-logout-hook.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-microsoft-office-addins.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-microsoft-outlook-vba.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-scheduled-job-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-telemetrycontroller-scheduled-task-hijack.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-update-orchestrator-service-hijack.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-wmi-event-subscription.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistent-scripts-in-the-startup-directory.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-port-forwarding-rule-addition.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-application-shimming-via-sdbinst.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-code-execution-via-postgresql.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-cookies-theft-via-browser-debugging.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-credential-access-via-dcsync.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-credential-access-via-duplicatehandle-in-lsass.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-credential-access-via-lsass-memory-dump.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-credential-access-via-renamed-com-services-dll.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-credential-access-via-windows-utilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-curl-cve-2023-38545-exploitation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-defense-evasion-via-proot.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-disabling-of-apparmor.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-disabling-of-selinux.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-dll-side-loading-via-microsoft-antimalware-service-executable.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-dll-side-loading-via-trusted-microsoft-programs.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-dns-tunneling-via-nslookup.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-external-linux-ssh-brute-force-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-hidden-process-via-mount-hidepid.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-internal-linux-ssh-brute-force-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-invoke-mimikatz-powershell-script.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-linux-backdoor-user-account-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-linux-credential-dumping-via-proc-filesystem.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-linux-credential-dumping-via-unshadow.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-linux-hack-tool-launched.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-linux-local-account-brute-force-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-linux-ransomware-note-creation-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-linux-tunneling-and-or-port-forwarding.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-lsass-clone-creation-via-psscapturesnapshot.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-lsass-memory-dump-via-psscapturesnapshot.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-malicious-file-downloaded-from-google-drive.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-meterpreter-reverse-shell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-modification-of-accessibility-binaries.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-network-scan-executed-from-host.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-openssh-backdoor-logging-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-persistence-through-init-d-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-persistence-through-motd-file-creation-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-persistence-through-run-control-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-powershell-hacktool-script-by-function-names.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privacy-control-bypass-via-localhost-secure-copy.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privacy-control-bypass-via-tccdb-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-through-writable-docker-socket.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-via-container-misconfiguration.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-via-cve-2023-4911.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-via-installerfiletakeover.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-via-overlayfs.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-via-pkexec.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-via-python-cap-setuid.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-via-recently-compiled-executable.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-via-uid-int-max-bug-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privileged-escalation-via-samaccountname-spoofing.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-process-injection-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-protocol-tunneling-via-chisel-client.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-protocol-tunneling-via-chisel-server.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-protocol-tunneling-via-earthworm.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-pspy-process-monitoring-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-remote-code-execution-via-web-server.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-remote-credential-access-via-registry.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-remote-desktop-shadowing-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-remote-desktop-tunneling-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-reverse-shell-activity-via-terminal.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-reverse-shell-via-background-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-reverse-shell-via-java.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-reverse-shell-via-suspicious-binary.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-reverse-shell-via-suspicious-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-reverse-shell-via-udp.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-reverse-shell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-shadow-credentials-added-to-ad-object.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-shadow-file-read-via-command-line-utilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-shell-via-wildcard-injection-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-ssh-it-ssh-worm-downloaded.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-successful-linux-ftp-brute-force-attack-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-successful-linux-rdp-brute-force-attack-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-successful-ssh-brute-force-attack.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-sudo-hijacking-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-sudo-privilege-escalation-via-cve-2019-14287.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-sudo-token-manipulation-via-process-injection.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-suspicious-debugfs-root-device-access.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-unauthorized-access-via-wildcard-injection-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-upgrade-of-non-interactive-shell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-kerberos-ticket-dump.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-kerberos-ticket-request.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-keylogging-script.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-mailbox-collection-script.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-minidump-script.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-psreflect-script.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-script-with-token-impersonation-capabilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-share-enumeration-script.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-suspicious-discovery-related-windows-api-functions.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-suspicious-payload-encoded-and-compressed.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-suspicious-script-with-audio-capture-capabilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-suspicious-script-with-clipboard-retrieval-capabilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-suspicious-script-with-screenshot-capabilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-privilege-escalation-via-named-pipe-impersonation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-privilege-escalation-via-rogue-named-pipe-impersonation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-privileged-account-brute-force.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-process-activity-via-compiled-html-file.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-process-creation-via-secondary-logon.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-process-execution-from-an-unusual-directory.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-process-started-from-process-id-pid-file.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-program-files-directory-masquerading.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-prompt-for-credentials-with-osascript.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-rdp-enabled-via-registry.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-registry-persistence-via-appcert-dll.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-registry-persistence-via-appinit-dll.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-remote-desktop-enabled-in-windows-firewall-by-netsh.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-remote-file-copy-to-a-hidden-share.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-remote-file-copy-via-teamviewer.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-remote-file-download-via-desktopimgdownldr-utility.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-remote-file-download-via-mpcmdrun.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-remote-file-download-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-renamed-autoit-scripts-interpreter.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-scheduled-task-execution-at-scale-via-gpo.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-scheduled-tasks-at-command-enabled.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-screensaver-plist-file-modified-by-unexpected-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-searching-for-saved-credentials-via-vaultcmd.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-security-software-discovery-via-grep.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-sedebugprivilege-enabled-by-a-suspicious-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-sensitive-files-compression.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-sensitive-privilege-seenabledelegationprivilege-assigned-to-a-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-setcap-setuid-setgid-capability-set.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-shared-object-created-or-changed-by-previously-unknown-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-signed-proxy-execution-via-ms-work-folders.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-solarwinds-process-disabling-services-via-registry.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-startup-logon-script-added-to-group-policy-object.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-startup-persistence-by-a-suspicious-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-statistical-model-detected-c2-beaconing-activity-with-high-confidence.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-statistical-model-detected-c2-beaconing-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-sublime-plugin-or-application-script-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-sudo-command-enumeration-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suid-sguid-enumeration-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-cmd-execution-via-wmi.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-content-extracted-or-decompressed-via-funzip.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-data-encryption-via-openssl-utility.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-dll-loaded-for-persistence-or-privilege-escalation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-endpoint-security-parent-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-execution-from-a-mounted-device.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-execution-via-scheduled-task.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-explorer-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-file-changes-activity-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-file-creation-in-etc-for-persistence.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-html-file-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-image-load-taskschd-dll-from-ms-office.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-inter-process-communication-via-outlook.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-java-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-lsass-access-via-malseclogon.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-lsass-process-access.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-microsoft-diagnostics-wizard-execution.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-mining-process-creation-event.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-module-loaded-by-lsass.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-ms-office-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-ms-outlook-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-net-code-compilation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-net-reflection-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-network-activity-to-the-internet-by-previously-unknown-executable.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-pdf-reader-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-portable-executable-encoded-in-powershell-script.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-print-spooler-file-deletion.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-print-spooler-spl-file-created.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-printspooler-service-executable-file-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-process-access-via-direct-system-call.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-process-execution-via-renamed-psexec-executable.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-process-spawned-from-motd-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-rdp-activex-client-loaded.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-remote-registry-access-via-sebackupprivilege.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-renaming-of-esxi-files.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-renaming-of-esxi-index-html-file.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-solarwinds-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-symbolic-link-created.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-system-commands-executed-by-previously-unknown-executable.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-termination-of-esxi-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-utility-launched-via-proxychains.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-werfault-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-wmi-image-load-from-ms-office.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-svchost-spawning-cmd.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-symbolic-link-to-shadow-copy-created.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-system-binary-copied-and-or-moved-to-suspicious-directory.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-system-log-file-deletion.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-tampering-of-bash-command-line-history.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-third-party-backup-files-deleted-via-unexpected-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-threat-intel-hash-indicator-match.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-threat-intel-ip-address-indicator-match.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-threat-intel-url-indicator-match.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-threat-intel-windows-registry-indicator-match.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-timestomping-using-touch-command.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-uac-bypass-attempt-via-elevated-com-internet-explorer-add-on-installer.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-uac-bypass-attempt-via-privileged-ifileoperation-com-interface.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-uac-bypass-attempt-via-windows-directory-masquerading.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-uac-bypass-attempt-with-ieditionupgrademanager-elevated-com-interface.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-uac-bypass-via-diskcleanup-scheduled-task-hijack.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-uac-bypass-via-icmluautil-elevated-com-interface.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-uac-bypass-via-windows-firewall-snap-in-hijack.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unexpected-child-process-of-macos-screensaver-engine.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unsigned-dll-side-loading-from-a-suspicious-folder.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-child-process-from-a-system-virtual-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-child-process-of-dns-exe.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-executable-file-creation-by-a-system-critical-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-file-creation-alternate-data-stream.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-file-modification-by-dns-exe.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-parent-child-relationship.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-parent-process-for-cmd-exe.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-print-spooler-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-process-execution-path-alternate-data-stream.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-service-host-child-process-childless-service.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-user-privilege-enumeration-via-id.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-user-account-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-user-account-exposed-to-kerberoasting.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-user-added-to-privileged-group.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-virtual-machine-fingerprinting-via-grep.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-virtual-machine-fingerprinting.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-virtual-private-network-connection-attempt.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-volume-shadow-copy-deleted-or-resized-via-vssadmin.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-volume-shadow-copy-deletion-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-volume-shadow-copy-deletion-via-wmic.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-web-shell-detection-script-process-child-of-common-web-processes.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-webserver-access-logs-deleted.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-whoami-process-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-windows-defender-disabled-via-registry-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-windows-defender-exclusions-added-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-windows-firewall-disabled-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-windows-registry-file-creation-in-smb-share.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-windows-script-executing-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-windows-service-installed-via-an-unusual-client.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-zoom-meeting-with-no-passcode.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rules-8-11-3-appendix.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rules-8-11-3-summary.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/attempt-to-clear-kernel-ring-buffer.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/kernel-driver-load.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/network-activity-detected-via-kworker.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/segfault-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/statistical-model-detected-c2-beaconing-activity-with-high-confidence.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/statistical-model-detected-c2-beaconing-activity.asciidoc diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-abnormal-process-id-or-lock-file-created.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-abnormal-process-id-or-lock-file-created.asciidoc new file mode 100644 index 0000000000..df2235cb55 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-abnormal-process-id-or-lock-file-created.asciidoc @@ -0,0 +1,122 @@ +[[prebuilt-rule-8-11-3-abnormal-process-id-or-lock-file-created]] +=== Abnormal Process ID or Lock File Created + +Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/ +* https://twitter.com/GossiTheDog/status/1522964028284411907 +* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf +* https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Threat: BPFDoor +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 211 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Abnormal Process ID or Lock File Created + +Linux applications may need to save their process identification number (PID) for various purposes: from signaling that a program is running to serving as a signal that a previous instance of an application didn't exit successfully. PID files contain its creator process PID in an integer value. + +Linux lock files are used to coordinate operations in files so that conflicts and race conditions are prevented. + +This rule identifies the creation of PID, lock, or reboot files in the /var/run/ directory. Attackers can masquerade malware, payloads, staged data for exfiltration, and more as legitimate PID files. + +#### Possible investigation steps + +- Retrieve the file and determine if it is malicious: + - Check the contents of the PID files. They should only contain integer strings. + - Check the file type of the lock and PID files to determine if they are executables. This is only observed in malicious files. + - Check the size of the subject file. Legitimate PID files should be under 10 bytes. + - Check if the lock or PID file has high entropy. This typically indicates an encrypted payload. + - Analysts can use tools like `ent` to measure entropy. + - Examine the reputation of the SHA-256 hash in the PID file. Use a database like VirusTotal to identify additional pivots and artifacts for investigation. +- Trace the file's creation to ensure it came from a legitimate or authorized process. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections. +- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes. + +### False positive analysis + +- False positives can appear if the PID file is legitimate and holding a process ID as intended. If the PID file is an executable or has a file size that's larger than 10 bytes, it should be ruled suspicious. +- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of file name and process executable conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Block the identified indicators of compromise (IoCs). +- Take actions to terminate processes and connections used by the attacker. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:linux and event.category:file and event.action:creation and +user.id:0 and file.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and ( + (process.name : ( + bash or dash or sh or tcsh or csh or zsh or ksh or fish or ash or touch or nano or vim or vi or editor or mv or cp) + ) or ( + process.executable : ( + ./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/* + )) +) and not process.name : (go or git or containerd* or snap-confine) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-access-of-stored-browser-credentials.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-access-of-stored-browser-credentials.asciidoc new file mode 100644 index 0000000000..405a08346b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-access-of-stored-browser-credentials.asciidoc @@ -0,0 +1,87 @@ +[[prebuilt-rule-8-11-3-access-of-stored-browser-credentials]] +=== Access of Stored Browser Credentials + +Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://securelist.com/calisto-trojan-for-macos/86543/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and + process.args : + ( + "/Users/*/Library/Application Support/Google/Chrome/Default/Login Data", + "/Users/*/Library/Application Support/Google/Chrome/Default/Cookies", + "/Users/*/Library/Application Support/Google/Chrome/Profile*/Cookies", + "/Users/*/Library/Cookies*", + "/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite", + "/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db", + "/Users/*/Library/Application Support/Firefox/Profiles/*.default/logins.json", + "Login Data", + "Cookies.binarycookies", + "key4.db", + "key3.db", + "logins.json", + "cookies.sqlite" + ) and + not (process.name : "wordexp-helper" and process.parent.name : ("elastic-agent", "elastic-endpoint")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal Web Session Cookie +** ID: T1539 +** Reference URL: https://attack.mitre.org/techniques/T1539/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Credentials from Web Browsers +** ID: T1555.003 +** Reference URL: https://attack.mitre.org/techniques/T1555/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-access-to-a-sensitive-ldap-attribute.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-access-to-a-sensitive-ldap-attribute.asciidoc new file mode 100644 index 0000000000..f306aaa502 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-access-to-a-sensitive-ldap-attribute.asciidoc @@ -0,0 +1,110 @@ +[[prebuilt-rule-8-11-3-access-to-a-sensitive-ldap-attribute]] +=== Access to a Sensitive LDAP Attribute + +Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming +* https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx +* https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Privilege Escalation +* Use Case: Active Directory Monitoring +* Data Source: Active Directory + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +any where event.action == "Directory Service Access" and event.code == "4662" and + + not winlog.event_data.SubjectUserSid : "S-1-5-18" and + + winlog.event_data.Properties : ( + /* unixUserPassword */ + "*612cb747-c0e8-4f92-9221-fdd5f15b550d*", + + /* ms-PKI-AccountCredentials */ + "*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*", + + /* ms-PKI-DPAPIMasterKeys */ + "*b3f93023-9239-4f7c-b99c-6745d87adbc2*", + + /* msPKI-CredentialRoamingTokens */ + "*b7ff5a38-0818-42b0-8110-d3d154c97f24*" + ) and + + /* + Excluding noisy AccessMasks + 0x0 undefined and 0x100 Control Access + https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662 + */ + not winlog.event_data.AccessMask in ("0x0", "0x100") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Technique: +** Name: Unsecured Credentials +** ID: T1552 +** Reference URL: https://attack.mitre.org/techniques/T1552/ +* Sub-technique: +** Name: Private Keys +** ID: T1552.004 +** Reference URL: https://attack.mitre.org/techniques/T1552/004/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Domain Accounts +** ID: T1078.002 +** Reference URL: https://attack.mitre.org/techniques/T1078/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-access-to-keychain-credentials-directories.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-access-to-keychain-credentials-directories.asciidoc new file mode 100644 index 0000000000..7c7f80273b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-access-to-keychain-credentials-directories.asciidoc @@ -0,0 +1,93 @@ +[[prebuilt-rule-8-11-3-access-to-keychain-credentials-directories]] +=== Access to Keychain Credentials Directories + +Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://objective-see.com/blog/blog_0x25.html +* https://securelist.com/calisto-trojan-for-macos/86543/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and + process.args : + ( + "/Users/*/Library/Keychains/*", + "/Library/Keychains/*", + "/Network/Library/Keychains/*", + "System.keychain", + "login.keychain-db", + "login.keychain" + ) and + not process.args : ("find-certificate", + "add-trusted-cert", + "set-keychain-settings", + "delete-certificate", + "/Users/*/Library/Keychains/openvpn.keychain-db", + "show-keychain-info", + "lock-keychain", + "set-key-partition-list", + "import", + "find-identity") and + not process.parent.executable : + ( + "/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect", + "/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise", + "/opt/jc/bin/jumpcloud-agent" + ) and + not process.executable : "/opt/jc/bin/jumpcloud-agent" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Keychain +** ID: T1555.001 +** Reference URL: https://attack.mitre.org/techniques/T1555/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-account-discovery-command-via-system-account.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-account-discovery-command-via-system-account.asciidoc new file mode 100644 index 0000000000..1253549ec3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-account-discovery-command-via-system-account.asciidoc @@ -0,0 +1,116 @@ +[[prebuilt-rule-8-11-3-account-discovery-command-via-system-account]] +=== Account Discovery Command via SYSTEM Account + +Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Discovery +* Tactic: Privilege Escalation +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Account Discovery Command via SYSTEM Account + +After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software. + +This rule looks for the execution of account discovery utilities using the SYSTEM account, which is commonly observed after attackers successfully perform privilege escalation or exploit web applications. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. + - If the process tree includes a web-application server process such as w3wp, httpd.exe, nginx.exe and alike, investigate any suspicious file creation or modification in the last 48 hours to assess the presence of any potential webshell backdoor. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Determine how the SYSTEM account is being used. For example, users with administrator privileges can spawn a system shell using Windows services, scheduled tasks or other third party utilities. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +- Use the data collected through the analysis to investigate other machines affected in the environment. + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (?process.Ext.token.integrity_level_name : "System" or + ?winlog.event_data.IntegrityLevel : "System") and + (process.name : "whoami.exe" or + (process.name : "net1.exe" and not process.parent.name : "net.exe")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: System Owner/User Discovery +** ID: T1033 +** Reference URL: https://attack.mitre.org/techniques/T1033/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Local Accounts +** ID: T1078.003 +** Reference URL: https://attack.mitre.org/techniques/T1078/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-adfind-command-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-adfind-command-activity.asciidoc new file mode 100644 index 0000000000..1eb7aadf94 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-adfind-command-activity.asciidoc @@ -0,0 +1,146 @@ +[[prebuilt-rule-8-11-3-adfind-command-activity]] +=== AdFind Command Activity + +This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* http://www.joeware.net/freetools/tools/adfind/ +* https://thedfirreport.com/2020/05/08/adfind-recon/ +* https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html +* https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware +* https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html +* https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Discovery +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating AdFind Command Activity + +[AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information from Active Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways they are effective for network administrators. This tool provides quick ability to scope AD person/computer objects and understand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/) of this tool being adopted by ransomware and criminal groups and used in compromises. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Examine the command line to determine what information was retrieved by the tool. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. + +### False positive analysis + +- This rule has a high chance to produce false positives as it is a legitimate tool used by network administrators. +- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in isolation, so reviewing previous logs/activity from impacted machines can be very telling. + +### Related rules + +- Windows Network Enumeration - 7b8bfc26-81d2-435e-965c-d722ee397ef1 +- Enumeration of Administrator Accounts - 871ea072-1b71-4def-b016-6278b505138d +- Enumeration Command Spawned via WMIPrvSE - 770e0c4d-b998-41e5-a62e-c7901fd7f470 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "AdFind.exe" or process.pe.original_file_name == "AdFind.exe") and + process.args : ("objectcategory=computer", "(objectcategory=computer)", + "objectcategory=person", "(objectcategory=person)", + "objectcategory=subnet", "(objectcategory=subnet)", + "objectcategory=group", "(objectcategory=group)", + "objectcategory=organizationalunit", "(objectcategory=organizationalunit)", + "objectcategory=attributeschema", "(objectcategory=attributeschema)", + "domainlist", "dcmodes", "adinfo", "dclist", "computers_pwnotreqd", "trustdmp") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Remote System Discovery +** ID: T1018 +** Reference URL: https://attack.mitre.org/techniques/T1018/ +* Technique: +** Name: Permission Groups Discovery +** ID: T1069 +** Reference URL: https://attack.mitre.org/techniques/T1069/ +* Sub-technique: +** Name: Domain Groups +** ID: T1069.002 +** Reference URL: https://attack.mitre.org/techniques/T1069/002/ +* Technique: +** Name: Account Discovery +** ID: T1087 +** Reference URL: https://attack.mitre.org/techniques/T1087/ +* Sub-technique: +** Name: Domain Account +** ID: T1087.002 +** Reference URL: https://attack.mitre.org/techniques/T1087/002/ +* Technique: +** Name: Domain Trust Discovery +** ID: T1482 +** Reference URL: https://attack.mitre.org/techniques/T1482/ +* Technique: +** Name: System Network Configuration Discovery +** ID: T1016 +** Reference URL: https://attack.mitre.org/techniques/T1016/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-adminsdholder-sdprop-exclusion-added.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-adminsdholder-sdprop-exclusion-added.asciidoc new file mode 100644 index 0000000000..85e95649b8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-adminsdholder-sdprop-exclusion-added.asciidoc @@ -0,0 +1,123 @@ +[[prebuilt-rule-8-11-3-adminsdholder-sdprop-exclusion-added]] +=== AdminSDHolder SDProp Exclusion Added + +Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dsheuristics_bad +* https://petri.com/active-directory-security-understanding-adminsdholder-object + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Active Directory +* Resources: Investigation Guide +* Use Case: Active Directory Monitoring + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating AdminSDHolder SDProp Exclusion Added + +The SDProp process compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, it resets the permissions on the protected accounts and groups to match those defined in the domain AdminSDHolder object. + +The dSHeuristics is a Unicode string attribute, in which each character in the string represents a heuristic that is used to determine the behavior of Active Directory. + +Administrators can use the dSHeuristics attribute to exclude privilege groups from the SDProp process by setting the 16th bit (dwAdminSDExMask) of the string to a certain value, which represents the group(s): + +- For example, to exclude the Account Operators group, an administrator would modify the string, so the 16th character is set to 1 (i.e., 0000000001000001). + +The usage of this exclusion can leave the accounts unprotected and facilitate the misconfiguration of privileges for the excluded groups, enabling attackers to add accounts to these groups to maintain long-term persistence with high privileges. + +This rule matches changes of the dsHeuristics object where the 16th bit is set to a value other than zero. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account and system owners and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check the value assigned to the 16th bit of the string on the `winlog.event_data.AttributeValue` field: + - Account Operators eq 1 + - Server Operators eq 2 + - Print Operators eq 4 + - Backup Operators eq 8 + The field value can range from 0 to f (15). If more than one group is specified, the values will be summed together; for example, Backup Operators and Print Operators will set the `c` value on the bit. + +### False positive analysis + +- While this modification can be done legitimately, it is not a best practice. Any potential benign true positive (B-TP) should be mapped and reviewed by the security team for alternatives as this weakens the security of the privileged group. + +### Response and remediation + +- The change can be reverted by setting the dwAdminSDExMask (16th bit) to 0 in dSHeuristics. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +any where event.action == "Directory Service Changes" and + event.code == "5136" and + winlog.event_data.AttributeLDAPDisplayName : "dSHeuristics" and + length(winlog.event_data.AttributeValue) > 15 and + winlog.event_data.AttributeValue regex~ "[0-9]{15}([1-9a-f]).*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Domain Accounts +** ID: T1078.002 +** Reference URL: https://attack.mitre.org/techniques/T1078/002/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-adobe-hijack-persistence.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-adobe-hijack-persistence.asciidoc new file mode 100644 index 0000000000..0a313ca06e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-adobe-hijack-persistence.asciidoc @@ -0,0 +1,135 @@ +[[prebuilt-rule-8-11-3-adobe-hijack-persistence]] +=== Adobe Hijack Persistence + +Detects writing executable files that will be automatically launched by Adobe on launch. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://twitter.com/pabraeken/status/997997818362155008 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Adobe Hijack Persistence + +Attackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the file using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type == "creation" and + file.path : ("?:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe", + "?:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe") and + not process.name : "msiexec.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Services File Permissions Weakness +** ID: T1574.010 +** Reference URL: https://attack.mitre.org/techniques/T1574/010/ +* Technique: +** Name: Compromise Client Software Binary +** ID: T1554 +** Reference URL: https://attack.mitre.org/techniques/T1554/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-apple-scripting-execution-with-administrator-privileges.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-apple-scripting-execution-with-administrator-privileges.asciidoc new file mode 100644 index 0000000000..3a14c61d28 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-apple-scripting-execution-with-administrator-privileges.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-11-3-apple-scripting-execution-with-administrator-privileges]] +=== Apple Scripting Execution with Administrator Privileges + +Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator privileges. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://discussions.apple.com/thread/2266150 + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and + process.command_line : "osascript*with administrator privileges" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-attempt-to-clear-kernel-ring-buffer.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-attempt-to-clear-kernel-ring-buffer.asciidoc new file mode 100644 index 0000000000..37dfdac876 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-attempt-to-clear-kernel-ring-buffer.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-11-3-attempt-to-clear-kernel-ring-buffer]] +=== Attempt to Clear Kernel Ring Buffer + +Monitors for the deletion of the kernel ring buffer events through dmesg. Attackers may clear kernel ring buffer events to evade detection after installing a Linux kernel module (LKM). + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process.name == "dmesg" and process.args : "-c" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Technique: +** Name: Indicator Removal +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: Clear Linux or Mac System Logs +** ID: T1070.002 +** Reference URL: https://attack.mitre.org/techniques/T1070/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-attempt-to-disable-iptables-or-firewall.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-attempt-to-disable-iptables-or-firewall.asciidoc new file mode 100644 index 0000000000..48897acc68 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-attempt-to-disable-iptables-or-firewall.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-8-11-3-attempt-to-disable-iptables-or-firewall]] +=== Attempt to Disable IPTables or Firewall + +Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and + ( + /* disable FW */ + ( + (process.name == "ufw" and process.args == "disable") or + (process.name == "iptables" and process.args == "-F" and process.args_count == 2) + ) or + + /* stop FW service */ + ( + ((process.name == "service" and process.args == "stop") or + (process.name == "chkconfig" and process.args == "off") or + (process.name == "systemctl" and process.args in ("disable", "stop", "kill"))) and + process.args in ("firewalld", "ip6tables", "iptables") + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-attempt-to-disable-syslog-service.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-attempt-to-disable-syslog-service.asciidoc new file mode 100644 index 0000000000..0f226c3a70 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-attempt-to-disable-syslog-service.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-8-11-3-attempt-to-disable-syslog-service]] +=== Attempt to Disable Syslog Service + +Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and + ( (process.name == "service" and process.args == "stop") or + (process.name == "chkconfig" and process.args == "off") or + (process.name == "systemctl" and process.args in ("disable", "stop", "kill")) + ) and process.args in ("syslog", "rsyslog", "syslog-ng") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-attempt-to-mount-smb-share-via-command-line.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-attempt-to-mount-smb-share-via-command-line.asciidoc new file mode 100644 index 0000000000..6340c660f5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-attempt-to-mount-smb-share-via-command-line.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-8-11-3-attempt-to-mount-smb-share-via-command-line]] +=== Attempt to Mount SMB Share via Command Line + +Identifies the execution of macOS built-in commands to mount a Server Message Block (SMB) network share. Adversaries may use valid accounts to interact with a remote network share using SMB. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.freebsd.org/cgi/man.cgi?mount_smbfs +* https://ss64.com/osx/mount.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and + ( + process.name : "mount_smbfs" or + (process.name : "open" and process.args : "smb://*") or + (process.name : "mount" and process.args : "smbfs") or + (process.name : "osascript" and process.command_line : "osascript*mount volume*smb://*") + ) and + not process.parent.executable : "/Applications/Google Drive.app/Contents/MacOS/Google Drive" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SMB/Windows Admin Shares +** ID: T1021.002 +** Reference URL: https://attack.mitre.org/techniques/T1021/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-attempt-to-remove-file-quarantine-attribute.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-attempt-to-remove-file-quarantine-attribute.asciidoc new file mode 100644 index 0000000000..7bd7f059bf --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-attempt-to-remove-file-quarantine-attribute.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-8-11-3-attempt-to-remove-file-quarantine-attribute]] +=== Attempt to Remove File Quarantine Attribute + +Identifies a potential Gatekeeper bypass. In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html +* https://ss64.com/osx/xattr.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and + process.name : "xattr" and + ( + (process.args : "com.apple.quarantine" and process.args : ("-d", "-w")) or + (process.args : "-c") or + (process.command_line : ("/bin/bash -c xattr -c *", "/bin/zsh -c xattr -c *", "/bin/sh -c xattr -c *")) + ) and not process.args_count > 12 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-base16-or-base32-encoding-decoding-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-base16-or-base32-encoding-decoding-activity.asciidoc new file mode 100644 index 0000000000..8ae767f00f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-base16-or-base32-encoding-decoding-activity.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-11-3-base16-or-base32-encoding-decoding-activity]] +=== Base16 or Base32 Encoding/Decoding Activity + +Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:linux and event.type:(start or process_started) and + process.name:(base16 or base32 or base32plain or base32hex) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Obfuscated Files or Information +** ID: T1027 +** Reference URL: https://attack.mitre.org/techniques/T1027/ +* Technique: +** Name: Deobfuscate/Decode Files or Information +** ID: T1140 +** Reference URL: https://attack.mitre.org/techniques/T1140/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-binary-executed-from-shared-memory-directory.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-binary-executed-from-shared-memory-directory.asciidoc new file mode 100644 index 0000000000..912053ba79 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-binary-executed-from-shared-memory-directory.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-11-3-binary-executed-from-shared-memory-directory]] +=== Binary Executed from Shared Memory Directory + +Identifies the execution of a binary by root in Linux shared memory directories: (/dev/shm/, /run/shm/, /var/run/, /var/lock/). This activity is to be considered highly abnormal and should be investigated. Threat actors have placed executables used for persistence on high-uptime servers in these directories as system backdoors. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://linuxsecurity.com/features/fileless-malware-on-linux +* https://twitter.com/GossiTheDog/status/1522964028284411907 +* https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Threat: BPFDoor +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and +process.executable : ("/dev/shm/*", "/run/shm/*", "/var/run/*", "/var/lock/*") and +not process.executable : ("/var/run/docker/*", "/var/run/utsns/*", "/var/run/s6/*", "/var/run/cloudera-scm-agent/*") and +user.id == "0" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-bpf-filter-applied-using-tc.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-bpf-filter-applied-using-tc.asciidoc new file mode 100644 index 0000000000..fce1e79eb7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-bpf-filter-applied-using-tc.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-11-3-bpf-filter-applied-using-tc]] +=== BPF filter applied using TC + +Detects when the tc (transmission control) binary is utilized to set a BPF (Berkeley Packet Filter) on a network interface. Tc is used to configure Traffic Control in the Linux kernel. It can shape, schedule, police and drop traffic. A threat actor can utilize tc to set a bpf filter on an interface for the purpose of manipulating the incoming traffic. This technique is not at all common and should indicate abnormal, suspicious or malicious activity. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/h3xduck/TripleCross/blob/master/src/helpers/deployer.sh +* https://man7.org/linux/man-pages/man8/tc.8.html + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Threat: TripleCross +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type != "end" and process.executable : "/usr/sbin/tc" and process.args : "filter" and process.args : "add" and process.args : "bpf" and not process.parent.executable: "/usr/sbin/libvirtd" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-bypass-uac-via-event-viewer.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-bypass-uac-via-event-viewer.asciidoc new file mode 100644 index 0000000000..d221fe7a52 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-bypass-uac-via-event-viewer.asciidoc @@ -0,0 +1,149 @@ +[[prebuilt-rule-8-11-3-bypass-uac-via-event-viewer]] +=== Bypass UAC via Event Viewer + +Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Bypass UAC via Event Viewer + +Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted. + +For more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works). + +During startup, `eventvwr.exe` checks the registry value of the `HKCU\Software\Classes\mscfile\shell\open\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "eventvwr.exe" and + not process.executable : + ("?:\\Windows\\SysWOW64\\mmc.exe", + "?:\\Windows\\System32\\mmc.exe", + "?:\\Windows\\SysWOW64\\WerFault.exe", + "?:\\Windows\\System32\\WerFault.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-chkconfig-service-add.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-chkconfig-service-add.asciidoc new file mode 100644 index 0000000000..b2a38f2830 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-chkconfig-service-add.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-11-3-chkconfig-service-add]] +=== Chkconfig Service Add + +Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Threat: Lightning Framework +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and +( + (process.executable : "/usr/sbin/chkconfig" and process.args : "--add") or + (process.args : "*chkconfig" and process.args : "--add") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ +* Sub-technique: +** Name: RC Scripts +** ID: T1037.004 +** Reference URL: https://attack.mitre.org/techniques/T1037/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-clearing-windows-console-history.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-clearing-windows-console-history.asciidoc new file mode 100644 index 0000000000..066217000c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-clearing-windows-console-history.asciidoc @@ -0,0 +1,128 @@ +[[prebuilt-rule-8-11-3-clearing-windows-console-history]] +=== Clearing Windows Console History + +Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://stefanos.cloud/kb/how-to-clear-the-powershell-command-history/ +* https://www.shellhacks.com/clear-history-powershell/ +* https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Clearing Windows Console History + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +Attackers can try to cover their tracks by clearing PowerShell console history. PowerShell has two different ways of logging commands: the built-in history and the command history managed by the PSReadLine module. This rule looks for the execution of commands that can clear the built-in PowerShell logs or delete the `ConsoleHost_history.txt` file. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. + - Verify if any other anti-forensics behaviors were observed. +- Investigate the PowerShell logs on the SIEM to determine if there was suspicious behavior that an attacker may be trying to cover up. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + - Ensure that PowerShell auditing policies and log collection are in place to grant future visibility. + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or process.pe.original_file_name == "PowerShell.EXE") and + (process.args : "*Clear-History*" or + (process.args : ("*Remove-Item*", "rm") and process.args : ("*ConsoleHost_history.txt*", "*(Get-PSReadlineOption).HistorySavePath*")) or + (process.args : "*Set-PSReadlineOption*" and process.args : "*SaveNothing*")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: Clear Command History +** ID: T1070.003 +** Reference URL: https://attack.mitre.org/techniques/T1070/003/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-clearing-windows-event-logs.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-clearing-windows-event-logs.asciidoc new file mode 100644 index 0000000000..2fa08e33e9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-clearing-windows-event-logs.asciidoc @@ -0,0 +1,122 @@ +[[prebuilt-rule-8-11-3-clearing-windows-event-logs]] +=== Clearing Windows Event Logs + +Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Clearing Windows Event Logs + +Windows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response. + +This rule looks for the execution of the `wevtutil.exe` utility or the `Clear-EventLog` cmdlet to clear event logs. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. + - Verify if any other anti-forensics behaviors were observed. +- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up. + +### False positive analysis + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for this action. +- Analyze whether the cleared event log is pertinent to security and general monitoring. Administrators can clear non-relevant event logs using this mechanism. If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. + - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and +( + ( + (process.name : "wevtutil.exe" or process.pe.original_file_name == "wevtutil.exe") and + process.args : ("/e:false", "cl", "clear-log") + ) or + ( + process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and + process.args : "Clear-EventLog" + ) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: Clear Windows Event Logs +** ID: T1070.001 +** Reference URL: https://attack.mitre.org/techniques/T1070/001/ +* Sub-technique: +** Name: Disable Windows Event Logging +** ID: T1562.002 +** Reference URL: https://attack.mitre.org/techniques/T1562/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-command-execution-via-solarwinds-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-command-execution-via-solarwinds-process.asciidoc new file mode 100644 index 0000000000..c2a33f622c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-command-execution-via-solarwinds-process.asciidoc @@ -0,0 +1,95 @@ +[[prebuilt-rule-8-11-3-command-execution-via-solarwinds-process]] +=== Command Execution via SolarWinds Process + +A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html +* https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Initial Access +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and process.name: ("cmd.exe", "powershell.exe") and +process.parent.name: ( + "ConfigurationWizard*.exe", + "NetflowDatabaseMaintenance*.exe", + "NetFlowService*.exe", + "SolarWinds.Administration*.exe", + "SolarWinds.Collector.Service*.exe", + "SolarwindsDiagnostics*.exe" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Supply Chain Compromise +** ID: T1195 +** Reference URL: https://attack.mitre.org/techniques/T1195/ +* Sub-technique: +** Name: Compromise Software Supply Chain +** ID: T1195.002 +** Reference URL: https://attack.mitre.org/techniques/T1195/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-command-shell-activity-started-via-rundll32.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-command-shell-activity-started-via-rundll32.asciidoc new file mode 100644 index 0000000000..30a7dd673e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-command-shell-activity-started-via-rundll32.asciidoc @@ -0,0 +1,98 @@ +[[prebuilt-rule-8-11-3-command-shell-activity-started-via-rundll32]] +=== Command Shell Activity Started via RunDLL32 + +Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Credential Access +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.name : ("cmd.exe", "powershell.exe") and + process.parent.name : "rundll32.exe" and process.parent.command_line != null and + /* common FPs can be added here */ + not process.parent.args : ("C:\\Windows\\System32\\SHELL32.dll,RunAsNewUser_RunDLL", + "C:\\WINDOWS\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Unsecured Credentials +** ID: T1552 +** Reference URL: https://attack.mitre.org/techniques/T1552/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Rundll32 +** ID: T1218.011 +** Reference URL: https://attack.mitre.org/techniques/T1218/011/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-component-object-model-hijacking.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-component-object-model-hijacking.asciidoc new file mode 100644 index 0000000000..fdf887238f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-component-object-model-hijacking.asciidoc @@ -0,0 +1,180 @@ +[[prebuilt-rule-8-11-3-component-object-model-hijacking]] +=== Component Object Model Hijacking + +Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion +* Tactic: Privilege Escalation +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Component Object Model Hijacking + +Adversaries can insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means of persistence. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Retrieve the file referenced in the registry and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- Some Microsoft executables will reference the LocalServer32 registry key value for the location of external COM objects. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and + /* not necessary but good for filtering privileged installations */ + user.domain != "NT AUTHORITY" and + ( + ( + registry.path : ("HK*\\InprocServer32\\", "\\REGISTRY\\*\\InprocServer32\\") and + registry.data.strings: ("scrobj.dll", "C:\\*\\scrobj.dll") and + not registry.path : "*\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\*" + ) or + + /* in general COM Registry changes on Users Hive is less noisy and worth alerting */ + (registry.path : ( + "HKEY_USERS\\*\\InprocServer32\\", + "HKEY_USERS\\*\\LocalServer32\\", + "HKEY_USERS\\*\\DelegateExecute*", + "HKEY_USERS\\*\\TreatAs*", + "HKEY_USERS\\*\\ScriptletURL*", + "\\REGISTRY\\USER\\*\\InprocServer32\\", + "\\REGISTRY\\USER\\*\\LocalServer32\\", + "\\REGISTRY\\USER\\*\\DelegateExecute*", + "\\REGISTRY\\USER\\*\\TreatAs*", + "\\REGISTRY\\USER\\*\\ScriptletURL*" + ) and not + ( + process.executable : "?:\\Program Files*\\Veeam\\Backup and Replication\\Console\\veeam.backup.shell.exe" and + registry.path : ( + "HKEY_USERS\\S-1-*_Classes\\CLSID\\*\\LocalServer32\\", + "\\REGISTRY\\USER\\S-1-*_Classes\\CLSID\\*\\LocalServer32\\")) + ) or + + ( + registry.path : ("HKLM\\*\\InProcServer32\\*", "\\REGISTRY\\MACHINE\\*\\InProcServer32\\*") and + registry.data.strings : ("*\\Users\\*", "*\\ProgramData\\*") + ) + ) and + + /* removes false-positives generated by OneDrive and Teams */ + not process.name: ("OneDrive.exe", "OneDriveSetup.exe", "FileSyncConfig.exe", "Teams.exe") and + + /* Teams DLL loaded by regsvr */ + not (process.name: "regsvr32.exe" and registry.data.strings : "*Microsoft.Teams.*.dll") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Component Object Model Hijacking +** ID: T1546.015 +** Reference URL: https://attack.mitre.org/techniques/T1546/015/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Component Object Model Hijacking +** ID: T1546.015 +** Reference URL: https://attack.mitre.org/techniques/T1546/015/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-conhost-spawned-by-suspicious-parent-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-conhost-spawned-by-suspicious-parent-process.asciidoc new file mode 100644 index 0000000000..c51981da24 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-conhost-spawned-by-suspicious-parent-process.asciidoc @@ -0,0 +1,147 @@ +[[prebuilt-rule-8-11-3-conhost-spawned-by-suspicious-parent-process]] +=== Conhost Spawned By Suspicious Parent Process + +Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Defense Evasion +* Tactic: Privilege Escalation +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Conhost Spawned By Suspicious Parent Process + +The Windows Console Host, or `conhost.exe`, is both the server application for all of the Windows Console APIs as well as the classic Windows user interface for working with command-line applications. + +Attackers often rely on custom shell implementations to avoid using built-in command interpreters like `cmd.exe` and `PowerShell.exe` and bypass application allowlisting and security features. Attackers commonly inject these implementations into legitimate system processes. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. +- Retrieve the parent process executable and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Related rules + +- Suspicious Process from Conhost - 28896382-7d4f-4d50-9b72-67091901fd26 +- Suspicious PowerShell Engine ImageLoad - 852c1f19-68e8-43a6-9dce-340771fe1be3 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.name : "conhost.exe" and + process.parent.name : ("lsass.exe", "services.exe", "smss.exe", "winlogon.exe", "explorer.exe", "dllhost.exe", "rundll32.exe", + "regsvr32.exe", "userinit.exe", "wininit.exe", "spoolsv.exe", "ctfmon.exe") and + not (process.parent.name : "rundll32.exe" and + process.parent.args : ("?:\\Windows\\Installer\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc", + "?:\\WINDOWS\\system32\\PcaSvc.dll,PcaPatchSdbTask", + "?:\\WINDOWS\\system32\\davclnt.dll,DavSetCookie")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-connection-to-commonly-abused-free-ssl-certificate-providers.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-connection-to-commonly-abused-free-ssl-certificate-providers.asciidoc new file mode 100644 index 0000000000..ef0b1ae41e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-connection-to-commonly-abused-free-ssl-certificate-providers.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-8-11-3-connection-to-commonly-abused-free-ssl-certificate-providers]] +=== Connection to Commonly Abused Free SSL Certificate Providers + +Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +network where host.os.type == "windows" and network.protocol == "dns" and + /* Add new free SSL certificate provider domains here */ + dns.question.name : ("*letsencrypt.org", "*.sslforfree.com", "*.zerossl.com", "*.freessl.org") and + + /* Native Windows process paths that are unlikely to have network connections to domains secured using free SSL certificates */ + process.executable : ("C:\\Windows\\System32\\*.exe", + "C:\\Windows\\System\\*.exe", + "C:\\Windows\\SysWOW64\\*.exe", + "C:\\Windows\\Microsoft.NET\\Framework*\\*.exe", + "C:\\Windows\\explorer.exe", + "C:\\Windows\\notepad.exe") and + + /* Insert noisy false positives here */ + not process.name : ("svchost.exe", "MicrosoftEdge*.exe", "msedge.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Encrypted Channel +** ID: T1573 +** Reference URL: https://attack.mitre.org/techniques/T1573/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-connection-to-commonly-abused-web-services.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-connection-to-commonly-abused-web-services.asciidoc new file mode 100644 index 0000000000..551e866b4e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-connection-to-commonly-abused-web-services.asciidoc @@ -0,0 +1,227 @@ +[[prebuilt-rule-8-11-3-connection-to-commonly-abused-web-services]] +=== Connection to Commonly Abused Web Services + +Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Connection to Commonly Abused Web Services + +Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. + +This rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Verify whether the digital signature exists in the executable. +- Identify the operation type (upload, download, tunneling, etc.). +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +network where host.os.type == "windows" and network.protocol == "dns" and + process.name != null and user.id not in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and + /* Add new WebSvc domains here */ + dns.question.name : + ( + "raw.githubusercontent.*", + "*.pastebin.*", + "*drive.google.*", + "*docs.live.*", + "*api.dropboxapi.*", + "*dropboxusercontent.*", + "*onedrive.*", + "*4shared.*", + "*.file.io", + "*filebin.net", + "*slack-files.com", + "*ghostbin.*", + "*ngrok.*", + "*portmap.*", + "*serveo.net", + "*localtunnel.me", + "*pagekite.me", + "*localxpose.io", + "*notabug.org", + "rawcdn.githack.*", + "paste.nrecom.net", + "zerobin.net", + "controlc.com", + "requestbin.net", + "cdn.discordapp.com", + "discordapp.com", + "discord.com", + "script.google.com", + "script.googleusercontent.com" + ) and + /* Insert noisy false positives here */ + not ( + ( + process.executable : ( + "?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Windows\\System32\\WWAHost.exe", + "?:\\Windows\\System32\\smartscreen.exe", + "?:\\Windows\\System32\\MicrosoftEdgeCP.exe", + "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe", + "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Users\\*\\AppData\\Local\\BraveSoftware\\*\\Application\\brave.exe", + "?:\\Users\\*\\AppData\\Local\\Vivaldi\\Application\\vivaldi.exe", + "?:\\Users\\*\\AppData\\Local\\Programs\\Opera*\\opera.exe", + "?:\\Users\\*\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe", + "?:\\Users\\*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe", + "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe", + "?:\\Windows\\system32\\mobsync.exe", + "?:\\Windows\\SysWOW64\\mobsync.exe" + ) and process.code_signature.trusted == true + ) or + + /* Discord App */ + (process.name : "Discord.exe" and (process.code_signature.subject_name : "Discord Inc." and + process.code_signature.trusted == true) and dns.question.name : ("discord.com", "cdn.discordapp.com", "discordapp.com") + ) or + + /* MS Sharepoint */ + (process.name : "Microsoft.SharePoint.exe" and (process.code_signature.subject_name : "Microsoft Corporation" and + process.code_signature.trusted == true) and dns.question.name : "onedrive.live.com" + ) or + + /* Firefox */ + (process.name : "firefox.exe" and (process.code_signature.subject_name : "Mozilla Corporation" and + process.code_signature.trusted == true) + ) or + + /* Dropbox */ + (process.name : "Dropbox.exe" and (process.code_signature.subject_name : "Dropbox, Inc" and + process.code_signature.trusted == true) and dns.question.name : ("api.dropboxapi.com", "*.dropboxusercontent.com") + ) or + + /* Obsidian - Plugins are stored on raw.githubusercontent.com */ + (process.name : "Obsidian.exe" and (process.code_signature.subject_name : "Dynalist Inc" and + process.code_signature.trusted == true) and dns.question.name : "raw.githubusercontent.com" + ) or + + /* WebExperienceHostApp */ + (process.name : "WebExperienceHostApp.exe" and (process.code_signature.subject_name : "Microsoft Windows" and + process.code_signature.trusted == true) and dns.question.name : ("onedrive.live.com", "skyapi.onedrive.live.com") + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Web Service +** ID: T1102 +** Reference URL: https://attack.mitre.org/techniques/T1102/ +* Technique: +** Name: Dynamic Resolution +** ID: T1568 +** Reference URL: https://attack.mitre.org/techniques/T1568/ +* Sub-technique: +** Name: Domain Generation Algorithms +** ID: T1568.002 +** Reference URL: https://attack.mitre.org/techniques/T1568/002/ +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over Web Service +** ID: T1567 +** Reference URL: https://attack.mitre.org/techniques/T1567/ +* Sub-technique: +** Name: Exfiltration to Code Repository +** ID: T1567.001 +** Reference URL: https://attack.mitre.org/techniques/T1567/001/ +* Sub-technique: +** Name: Exfiltration to Cloud Storage +** ID: T1567.002 +** Reference URL: https://attack.mitre.org/techniques/T1567/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-connection-to-external-network-via-telnet.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-connection-to-external-network-via-telnet.asciidoc new file mode 100644 index 0000000000..706c267a64 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-connection-to-external-network-via-telnet.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-8-11-3-connection-to-external-network-via-telnet]] +=== Connection to External Network via Telnet + +Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id + [process where host.os.type == "linux" and process.name == "telnet" and event.type == "start"] + [network where host.os.type == "linux" and process.name == "telnet" and + not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", + "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", + "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", + "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", + "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", + "FE80::/10", "FF00::/8")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-connection-to-internal-network-via-telnet.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-connection-to-internal-network-via-telnet.asciidoc new file mode 100644 index 0000000000..f8cc882f38 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-connection-to-internal-network-via-telnet.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-8-11-3-connection-to-internal-network-via-telnet]] +=== Connection to Internal Network via Telnet + +Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id + [process where host.os.type == "linux" and process.name == "telnet" and event.type == "start"] + [network where host.os.type == "linux" and process.name == "telnet" and + cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", + "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", + "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", + "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", + "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", + "FE80::/10", "FF00::/8")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-control-panel-process-with-unusual-arguments.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-control-panel-process-with-unusual-arguments.asciidoc new file mode 100644 index 0000000000..96eb59d6f7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-control-panel-process-with-unusual-arguments.asciidoc @@ -0,0 +1,84 @@ +[[prebuilt-rule-8-11-3-control-panel-process-with-unusual-arguments]] +=== Control Panel Process with Unusual Arguments + +Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.joesandbox.com/analysis/476188/1/html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.executable : ("?:\\Windows\\SysWOW64\\control.exe", "?:\\Windows\\System32\\control.exe") and + process.command_line : + ("*.jpg*", + "*.png*", + "*.gif*", + "*.bmp*", + "*.jpeg*", + "*.TIFF*", + "*.inf*", + "*.cpl:*/*", + "*../../..*", + "*/AppData/Local/*", + "*:\\Users\\Public\\*", + "*\\AppData\\Local\\*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Control Panel +** ID: T1218.002 +** Reference URL: https://attack.mitre.org/techniques/T1218/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-creation-of-a-hidden-local-user-account.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-creation-of-a-hidden-local-user-account.asciidoc new file mode 100644 index 0000000000..a1c42868e3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-creation-of-a-hidden-local-user-account.asciidoc @@ -0,0 +1,109 @@ +[[prebuilt-rule-8-11-3-creation-of-a-hidden-local-user-account]] +=== Creation of a Hidden Local User Account + +Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using the net users command. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* http://web.archive.org/web/20230329153858/https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html +* https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Creation of a Hidden Local User Account + +Attackers can create accounts ending with a `$` symbol to make the account hidden to user enumeration utilities and bypass detections that identify computer accounts by this pattern to apply filters. + +This rule uses registry events to identify the creation of local hidden accounts. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positive (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Delete the hidden account. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and registry.path : ( + "HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\", + "\\REGISTRY\\MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\" +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create Account +** ID: T1136 +** Reference URL: https://attack.mitre.org/techniques/T1136/ +* Sub-technique: +** Name: Local Account +** ID: T1136.001 +** Reference URL: https://attack.mitre.org/techniques/T1136/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-creation-of-hidden-files-and-directories-via-commandline.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-creation-of-hidden-files-and-directories-via-commandline.asciidoc new file mode 100644 index 0000000000..d5b6ba4b26 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-creation-of-hidden-files-and-directories-via-commandline.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-8-11-3-creation-of-hidden-files-and-directories-via-commandline]] +=== Creation of Hidden Files and Directories via CommandLine + +Users can mark specific files as hidden simply by putting a "." as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 33 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and +process.working_directory in ("/tmp", "/var/tmp", "/dev/shm") and +process.args regex~ """\.[a-z0-9_\-][a-z0-9_\-\.]{1,254}""" and +not process.name in ("ls", "find", "grep", "git") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Sub-technique: +** Name: Hidden Files and Directories +** ID: T1564.001 +** Reference URL: https://attack.mitre.org/techniques/T1564/001/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-creation-of-hidden-launch-agent-or-daemon.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-creation-of-hidden-launch-agent-or-daemon.asciidoc new file mode 100644 index 0000000000..69cadcff5a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-creation-of-hidden-launch-agent-or-daemon.asciidoc @@ -0,0 +1,87 @@ +[[prebuilt-rule-8-11-3-creation-of-hidden-launch-agent-or-daemon]] +=== Creation of Hidden Launch Agent or Daemon + +Identifies the creation of a hidden launch agent or daemon. An adversary may establish persistence by installing a new launch agent or daemon which executes at login. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "macos" and event.type != "deletion" and + file.path : + ( + "/System/Library/LaunchAgents/.*.plist", + "/Library/LaunchAgents/.*.plist", + "/Users/*/Library/LaunchAgents/.*.plist", + "/System/Library/LaunchDaemons/.*.plist", + "/Library/LaunchDaemons/.*.plist" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Launch Agent +** ID: T1543.001 +** Reference URL: https://attack.mitre.org/techniques/T1543/001/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Sub-technique: +** Name: Hidden Files and Directories +** ID: T1564.001 +** Reference URL: https://attack.mitre.org/techniques/T1564/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-creation-of-hidden-login-item-via-apple-script.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-creation-of-hidden-login-item-via-apple-script.asciidoc new file mode 100644 index 0000000000..9555d6104f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-creation-of-hidden-login-item-via-apple-script.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-8-11-3-creation-of-hidden-login-item-via-apple-script]] +=== Creation of Hidden Login Item via Apple Script + +Identifies the execution of osascript to create a hidden login item. This may indicate an attempt to persist a malicious program while concealing its presence. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and + process.command_line : "osascript*login item*hidden:true*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: AppleScript +** ID: T1059.002 +** Reference URL: https://attack.mitre.org/techniques/T1059/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Plist File Modification +** ID: T1647 +** Reference URL: https://attack.mitre.org/techniques/T1647/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-creation-of-hidden-shared-object-file.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-creation-of-hidden-shared-object-file.asciidoc new file mode 100644 index 0000000000..e3da872211 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-creation-of-hidden-shared-object-file.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-8-11-3-creation-of-hidden-shared-object-file]] +=== Creation of Hidden Shared Object File + +Identifies the creation of a hidden shared object (.so) file. Users can mark specific files as hidden simply by putting a "." as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 33 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.type == "creation" and file.extension == "so" and file.name : ".*.so" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Sub-technique: +** Name: Hidden Files and Directories +** ID: T1564.001 +** Reference URL: https://attack.mitre.org/techniques/T1564/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-creation-or-modification-of-a-new-gpo-scheduled-task-or-service.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-creation-or-modification-of-a-new-gpo-scheduled-task-or-service.asciidoc new file mode 100644 index 0000000000..8dd53e040d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-creation-or-modification-of-a-new-gpo-scheduled-task-or-service.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-8-11-3-creation-or-modification-of-a-new-gpo-scheduled-task-or-service]] +=== Creation or Modification of a new GPO Scheduled Task or Service + +Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Persistence +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type != "deletion" and + file.path : ("?:\\Windows\\SYSVOL\\domain\\Policies\\*\\MACHINE\\Preferences\\ScheduledTasks\\ScheduledTasks.xml", + "?:\\Windows\\SYSVOL\\domain\\Policies\\*\\MACHINE\\Preferences\\Services\\Services.xml") and + not process.name : "dfsrs.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Domain Policy Modification +** ID: T1484 +** Reference URL: https://attack.mitre.org/techniques/T1484/ +* Sub-technique: +** Name: Group Policy Modification +** ID: T1484.001 +** Reference URL: https://attack.mitre.org/techniques/T1484/001/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-creation-or-modification-of-domain-backup-dpapi-private-key.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-creation-or-modification-of-domain-backup-dpapi-private-key.asciidoc new file mode 100644 index 0000000000..2f2c96aa87 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-creation-or-modification-of-domain-backup-dpapi-private-key.asciidoc @@ -0,0 +1,86 @@ +[[prebuilt-rule-8-11-3-creation-or-modification-of-domain-backup-dpapi-private-key]] +=== Creation or Modification of Domain Backup DPAPI private key + +Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/ +* https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +Domain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys. + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type != "deletion" and file.name : ("ntds_capi_*.pfx", "ntds_capi_*.pvk") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Unsecured Credentials +** ID: T1552 +** Reference URL: https://attack.mitre.org/techniques/T1552/ +* Sub-technique: +** Name: Private Keys +** ID: T1552.004 +** Reference URL: https://attack.mitre.org/techniques/T1552/004/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-creation-or-modification-of-root-certificate.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-creation-or-modification-of-root-certificate.asciidoc new file mode 100644 index 0000000000..872df28048 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-creation-or-modification-of-root-certificate.asciidoc @@ -0,0 +1,145 @@ +[[prebuilt-rule-8-11-3-creation-or-modification-of-root-certificate]] +=== Creation or Modification of Root Certificate + +Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec +* https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Creation or Modification of Root Certificate + +Root certificates are the primary level of certifications that tell a browser that the communication is trusted and legitimate. This verification is based upon the identification of a certification authority. Windows adds several trusted root certificates so browsers can use them to communicate with websites. + +[Check out this post](https://www.thewindowsclub.com/what-are-root-certificates-windows) for more details on root certificates and the involved cryptography. + +This rule identifies the creation or modification of a root certificate by monitoring registry modifications. The installation of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate abnormal behaviors observed by the subject process such as network connections, other registry or file modifications, and any spawned child processes. +- If one of the processes is suspicious, retrieve it and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove the malicious certificate from the root certificate store. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and event.type in ("creation", "change") and + registry.path : + ( + "HKLM\\Software\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob", + "HKLM\\Software\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob", + "HKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob", + "HKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob", + "\\REGISTRY\\MACHINE\\Software\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob", + "\\REGISTRY\\MACHINE\\Software\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob", + "\\REGISTRY\\MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\\Blob", + "\\REGISTRY\\MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\*\\Blob" + ) and + not process.executable : + ("?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Windows\\System32\\*.exe", + "?:\\Windows\\SysWOW64\\*.exe", + "?:\\Windows\\Sysmon64.exe", + "?:\\Windows\\Sysmon.exe", + "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe", + "?:\\Windows\\WinSxS\\*.exe", + "?:\\Windows\\UUS\\amd64\\MoUsoCoreWorker.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Subvert Trust Controls +** ID: T1553 +** Reference URL: https://attack.mitre.org/techniques/T1553/ +* Sub-technique: +** Name: Install Root Certificate +** ID: T1553.004 +** Reference URL: https://attack.mitre.org/techniques/T1553/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-credential-acquisition-via-registry-hive-dumping.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-credential-acquisition-via-registry-hive-dumping.asciidoc new file mode 100644 index 0000000000..f3e2cc8eb8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-credential-acquisition-via-registry-hive-dumping.asciidoc @@ -0,0 +1,125 @@ +[[prebuilt-rule-8-11-3-credential-acquisition-via-registry-hive-dumping]] +=== Credential Acquisition via Registry Hive Dumping + +Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8 +* https://www.elastic.co/security-labs/detect-credential-access + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Credential Acquisition via Registry Hive Dumping + +Dumping registry hives is a common way to access credential information as some hives store credential material. + +For example, the SAM hive stores locally cached credentials (SAM Secrets), and the SECURITY hive stores domain cached credentials (LSA secrets). + +Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets. + +This rule identifies the usage of `reg.exe` to dump SECURITY and/or SAM hives, which potentially indicates the compromise of the credentials stored in the host. + +#### Possible investigation steps + +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate if the credential material was exfiltrated or processed locally by other tools. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host. + +### False positive analysis + +- Administrators can export registry hives for backup purposes using command line tools like `reg.exe`. Check whether the user is legitamitely performing this kind of activity. + +### Related rules + +- Registry Hive File Creation via SMB - a4c7473a-5cb4-4bc1-9d06-e4a75adbc494 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Reimage the host operating system and restore compromised files to clean versions. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.pe.original_file_name == "reg.exe" and + process.args : ("save", "export") and + process.args : ("hklm\\sam", "hklm\\security") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: Security Account Manager +** ID: T1003.002 +** Reference URL: https://attack.mitre.org/techniques/T1003/002/ +* Sub-technique: +** Name: LSA Secrets +** ID: T1003.004 +** Reference URL: https://attack.mitre.org/techniques/T1003/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-cron-job-created-or-changed-by-previously-unknown-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-cron-job-created-or-changed-by-previously-unknown-process.asciidoc new file mode 100644 index 0000000000..ac69935e56 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-cron-job-created-or-changed-by-previously-unknown-process.asciidoc @@ -0,0 +1,97 @@ +[[prebuilt-rule-8-11-3-cron-job-created-or-changed-by-previously-unknown-process]] +=== Cron Job Created or Changed by Previously Unknown Process + +Linux cron jobs are scheduled tasks that can be leveraged by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Privilege Escalation +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type : "linux" and event.action : ("change" or "file_modify_event" or "creation" or "file_create_event") and +file.path : (/etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or +/etc/cron.weekly/* or /etc/cron.monthly/* or /etc/crontab or /usr/sbin/cron or /usr/sbin/anacron) +and not (process.name : ("dpkg" or "dockerd" or "rpm" or "snapd" or "yum" or "exe" or "dnf" or "5") or +file.extension : ("swp" or "swpx")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Cron +** ID: T1053.003 +** Reference URL: https://attack.mitre.org/techniques/T1053/003/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Cron +** ID: T1053.003 +** Reference URL: https://attack.mitre.org/techniques/T1053/003/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Cron +** ID: T1053.003 +** Reference URL: https://attack.mitre.org/techniques/T1053/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-deleting-backup-catalogs-with-wbadmin.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-deleting-backup-catalogs-with-wbadmin.asciidoc new file mode 100644 index 0000000000..a2d2a2da7e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-deleting-backup-catalogs-with-wbadmin.asciidoc @@ -0,0 +1,117 @@ +[[prebuilt-rule-8-11-3-deleting-backup-catalogs-with-wbadmin]] +=== Deleting Backup Catalogs with Wbadmin + +Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Impact +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Deleting Backup Catalogs with Wbadmin + +Windows Server Backup stores the details about your backups (what volumes are backed up and where the backups are located) in a file called a backup catalog, which ransomware victims can use to recover corrupted backup files. Deleting these files is a common step in threat actor playbooks. + +This rule identifies the deletion of the backup catalog using the `wbadmin.exe` utility. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Check if any files on the host machine have been encrypted. + +### False positive analysis + +- Administrators can use this command to delete corrupted catalogs, but overall the activity is unlikely to be legitimate. + +### Related rules + +- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9 +- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921 +- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4 +- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities. +- If any backups were affected: + - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.). +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "wbadmin.exe" or process.pe.original_file_name == "WBADMIN.EXE") and + process.args : "catalog" and process.args : "delete" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Inhibit System Recovery +** ID: T1490 +** Reference URL: https://attack.mitre.org/techniques/T1490/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-deprecated-potential-reverse-shell-via-suspicious-parent-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-deprecated-potential-reverse-shell-via-suspicious-parent-process.asciidoc new file mode 100644 index 0000000000..a2a47c3a95 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-deprecated-potential-reverse-shell-via-suspicious-parent-process.asciidoc @@ -0,0 +1,95 @@ +[[prebuilt-rule-8-11-3-deprecated-potential-reverse-shell-via-suspicious-parent-process]] +=== Deprecated - Potential Reverse Shell via Suspicious Parent Process + +This detection rule detects the creation of a shell through a suspicious parent child relationship. Any reverse shells spawned by the specified utilities that use a forked process to initialize the connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +This rule was deprecated due to its addition to the umbrella `Potential Reverse Shell via Suspicious Child Process` (76e4d92b-61c1-4a95-ab61-5fd94179a1ee) rule. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.parent.entity_id with maxspan=1s +[ process where host.os.type == "linux" and event.type == "start" and event.action == "fork" and ( + (process.name : "python*" and process.args == "-c" and not process.args == "/usr/bin/supervisord") or + (process.name : "php*" and process.args == "-r") or + (process.name : "perl" and process.args == "-e") or + (process.name : "ruby" and process.args in ("-e", "-rsocket")) or + (process.name : "lua*" and process.args == "-e") or + (process.name : "openssl" and process.args : "-connect") or + (process.name : ("nc", "ncat", "netcat") and process.args_count >= 3 and not process.args == "-z") or + (process.name : "telnet" and process.args_count >= 3) or + (process.name : "awk")) and + process.parent.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") ] +[ network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and + process.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") and + destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" ] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-disable-windows-event-and-security-logs-using-built-in-tools.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-disable-windows-event-and-security-logs-using-built-in-tools.asciidoc new file mode 100644 index 0000000000..91e21d4001 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-disable-windows-event-and-security-logs-using-built-in-tools.asciidoc @@ -0,0 +1,134 @@ +[[prebuilt-rule-8-11-3-disable-windows-event-and-security-logs-using-built-in-tools]] +=== Disable Windows Event and Security Logs Using Built-in Tools + +Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by attackers in an attempt to evade detection on a system. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman +* https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic +* Ivan Ninichuck +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Disable Windows Event and Security Logs Using Built-in Tools + +Windows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response. + +This rule looks for the usage of different utilities to disable the EventLog service or specific event logs. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. + - Verify if any other anti-forensics behaviors were observed. +- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Re-enable affected logging components, services, and security monitoring. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and +( + ((process.name:"logman.exe" or process.pe.original_file_name == "Logman.exe") and + process.args : "EventLog-*" and process.args : ("stop", "delete")) or + + ((process.name : ("pwsh.exe", "powershell.exe", "powershell_ise.exe") or process.pe.original_file_name in + ("pwsh.exe", "powershell.exe", "powershell_ise.exe")) and + process.args : "Set-Service" and process.args: "EventLog" and process.args : "Disabled") or + + ((process.name:"auditpol.exe" or process.pe.original_file_name == "AUDITPOL.EXE") and process.args : "/success:disable") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: Clear Windows Event Logs +** ID: T1070.001 +** Reference URL: https://attack.mitre.org/techniques/T1070/001/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable Windows Event Logging +** ID: T1562.002 +** Reference URL: https://attack.mitre.org/techniques/T1562/002/ +* Sub-technique: +** Name: Indicator Blocking +** ID: T1562.006 +** Reference URL: https://attack.mitre.org/techniques/T1562/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-disable-windows-firewall-rules-via-netsh.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-disable-windows-firewall-rules-via-netsh.asciidoc new file mode 100644 index 0000000000..6f786268e9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-disable-windows-firewall-rules-via-netsh.asciidoc @@ -0,0 +1,111 @@ +[[prebuilt-rule-8-11-3-disable-windows-firewall-rules-via-netsh]] +=== Disable Windows Firewall Rules via Netsh + +Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Disable Windows Firewall Rules via Netsh + +The Windows Defender Firewall is a native component which provides host-based, two-way network traffic filtering for a device, and blocks unauthorized network traffic flowing into or out of the local device. + +Attackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity. + +This rule identifies patterns related to disabling the Windows firewall or its rules using the `netsh.exe` utility. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the user to check if they are aware of the operation. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. + +### False positive analysis + +- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting. +- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.name : "netsh.exe" and + ( + (process.args : "disable" and process.args : "firewall" and process.args : "set") or + (process.args : "advfirewall" and process.args : "off" and process.args : "state") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify System Firewall +** ID: T1562.004 +** Reference URL: https://attack.mitre.org/techniques/T1562/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-disabling-user-account-control-via-registry-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-disabling-user-account-control-via-registry-modification.asciidoc new file mode 100644 index 0000000000..84ea43ec1c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-disabling-user-account-control-via-registry-modification.asciidoc @@ -0,0 +1,161 @@ +[[prebuilt-rule-8-11-3-disabling-user-account-control-via-registry-modification]] +=== Disabling User Account Control via Registry Modification + +User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.greyhathacker.net/?p=796 +* https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings +* https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Disabling User Account Control via Registry Modification + +Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted. + +For more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works). + +Attackers may disable UAC to execute code directly in high integrity. This rule identifies registry value changes to bypass the UAC protection. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the host for suspicious or abnormal behaviors in the alert timeframe. +- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Analyze non-system processes executed with high integrity after UAC was disabled for unknown or suspicious processes. +- Retrieve the suspicious processes' executables and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Restore UAC settings to the desired state. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and event.type == "change" and + registry.path : + ( + "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA", + "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin", + "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\PromptOnSecureDesktop", + "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA", + "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin", + "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\PromptOnSecureDesktop" + ) and + registry.data.strings : ("0", "0x00000000") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-disabling-windows-defender-security-settings-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-disabling-windows-defender-security-settings-via-powershell.asciidoc new file mode 100644 index 0000000000..e417738584 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-disabling-windows-defender-security-settings-via-powershell.asciidoc @@ -0,0 +1,130 @@ +[[prebuilt-rule-8-11-3-disabling-windows-defender-security-settings-via-powershell]] +=== Disabling Windows Defender Security Settings via PowerShell + +Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Disabling Windows Defender Security Settings via PowerShell + +Microsoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks. + +This rule monitors the execution of commands that can tamper the Windows Defender antivirus features. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Examine the command line to determine which action was executed. Based on that, examine exceptions, antivirus state, sample submission, etc. + +### False positive analysis + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed. + +### Related rules + +- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb +- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Based on the command line, take actions to restore the appropriate Windows Defender antivirus configurations. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Review the privileges assigned to the user to ensure that the least privilege principle is being followed. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")) and + process.args : "Set-MpPreference" and process.args : ("-Disable*", "Disabled", "NeverSend", "-Exclusion*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-dns-over-https-enabled-via-registry.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-dns-over-https-enabled-via-registry.asciidoc new file mode 100644 index 0000000000..931c770127 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-dns-over-https-enabled-via-registry.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-8-11-3-dns-over-https-enabled-via-registry]] +=== DNS-over-HTTPS Enabled via Registry + +Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html +* https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and event.type in ("creation", "change") and + (registry.path : "*\\SOFTWARE\\Policies\\Microsoft\\Edge\\BuiltInDnsClientEnabled" and + registry.data.strings : "1") or + (registry.path : "*\\SOFTWARE\\Google\\Chrome\\DnsOverHttpsMode" and + registry.data.strings : "secure") or + (registry.path : "*\\SOFTWARE\\Policies\\Mozilla\\Firefox\\DNSOverHTTPS" and + registry.data.strings : "1") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-dumping-of-keychain-content-via-security-command.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-dumping-of-keychain-content-via-security-command.asciidoc new file mode 100644 index 0000000000..1f899bf0f1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-dumping-of-keychain-content-via-security-command.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-8-11-3-dumping-of-keychain-content-via-security-command]] +=== Dumping of Keychain Content via Security Command + +Adversaries may dump the content of the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://ss64.com/osx/security.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and process.args : "dump-keychain" and process.args : "-d" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Keychain +** ID: T1555.001 +** Reference URL: https://attack.mitre.org/techniques/T1555/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-dynamic-linker-copy.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-dynamic-linker-copy.asciidoc new file mode 100644 index 0000000000..aaf31db55a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-dynamic-linker-copy.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-11-3-dynamic-linker-copy]] +=== Dynamic Linker Copy + +Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Threat: Orbit +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id with maxspan=1m +[process where host.os.type == "linux" and event.type == "start" and process.name : ("cp", "rsync") and + process.args : ("/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/etc/ld.so.preload")] +[file where host.os.type == "linux" and event.action == "creation" and file.extension == "so"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Dynamic Linker Hijacking +** ID: T1574.006 +** Reference URL: https://attack.mitre.org/techniques/T1574/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-elastic-agent-service-terminated.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-elastic-agent-service-terminated.asciidoc new file mode 100644 index 0000000000..a89c037372 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-elastic-agent-service-terminated.asciidoc @@ -0,0 +1,84 @@ +[[prebuilt-rule-8-11-3-elastic-agent-service-terminated]] +=== Elastic Agent Service Terminated + +Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a stable state. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* OS: Windows +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where +/* net, sc or wmic stopping or deleting Elastic Agent on Windows */ +(event.type == "start" and + process.name : ("net.exe", "sc.exe", "wmic.exe","powershell.exe","taskkill.exe","PsKill.exe","ProcessHacker.exe") and + process.args : ("stopservice","uninstall", "stop", "disabled","Stop-Process","terminate","suspend") and + process.args : ("elasticendpoint", "Elastic Agent","elastic-agent","elastic-endpoint")) +or +/* service or systemctl used to stop Elastic Agent on Linux */ +(event.type == "end" and + (process.name : ("systemctl", "service") and + process.args : "elastic-agent" and + process.args : "stop") + or + /* pkill , killall used to stop Elastic Agent on Linux */ + ( event.type == "end" and process.name : ("pkill", "killall") and process.args: "elastic-agent") + or + /* Unload Elastic Agent extension on MacOS */ + (process.name : "kextunload" and + process.args : "com.apple.iokit.EndpointSecurity" and + event.action : "end")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-emond-rules-creation-or-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-emond-rules-creation-or-modification.asciidoc new file mode 100644 index 0000000000..6ec8d73392 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-emond-rules-creation-or-modification.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-11-3-emond-rules-creation-or-modification]] +=== Emond Rules Creation or Modification + +Identifies the creation or modification of the Event Monitor Daemon (emond) rules. Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.xorrior.com/emond-persistence/ +* https://www.sentinelone.com/blog/how-malware-persists-on-macos/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "macos" and event.type != "deletion" and + file.path : ("/private/etc/emond.d/rules/*.plist", "/etc/emon.d/rules/*.plist", "/private/var/db/emondClients/*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Emond +** ID: T1546.014 +** Reference URL: https://attack.mitre.org/techniques/T1546/014/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-enable-host-network-discovery-via-netsh.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-enable-host-network-discovery-via-netsh.asciidoc new file mode 100644 index 0000000000..caac47e65a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-enable-host-network-discovery-via-netsh.asciidoc @@ -0,0 +1,109 @@ +[[prebuilt-rule-8-11-3-enable-host-network-discovery-via-netsh]] +=== Enable Host Network Discovery via Netsh + +Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to weaken the host firewall settings. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Enable Host Network Discovery via Netsh + +The Windows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device. + +Attackers can enable Network Discovery on the Windows firewall to find other systems present in the same network. Systems with this setting enabled will communicate with other systems using broadcast messages, which can be used to identify targets for lateral movement. This rule looks for the setup of this setting using the netsh utility. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. + +### False positive analysis + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Disable Network Discovery: + - Using netsh: `netsh advfirewall firewall set rule group="Network Discovery" new enable=No` +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and +process.name : "netsh.exe" and +process.args : ("firewall", "advfirewall") and process.args : "group=Network Discovery" and process.args : "enable=Yes" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify System Firewall +** ID: T1562.004 +** Reference URL: https://attack.mitre.org/techniques/T1562/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-encrypting-files-with-winrar-or-7z.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-encrypting-files-with-winrar-or-7z.asciidoc new file mode 100644 index 0000000000..f5192dcd1c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-encrypting-files-with-winrar-or-7z.asciidoc @@ -0,0 +1,134 @@ +[[prebuilt-rule-8-11-3-encrypting-files-with-winrar-or-7z]] +=== Encrypting Files with WinRar or 7z + +Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Collection +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Encrypting Files with WinRar or 7z + +Attackers may compress and/or encrypt data collected before exfiltration. Compressing the data can help obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less apparent upon inspection by a defender. + +These steps are usually done in preparation for exfiltration, meaning the attack may be in its final stages. + +#### Possible investigation steps + +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Retrieve the encrypted file. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check if the password used in the encryption was included in the command line. +- Decrypt the `.rar`/`.zip` and check if the information is sensitive. +- If the password is not available, and the format is `.zip` or the option used in WinRAR is not the `-hp`, list the file names included in the encrypted file. +- Investigate if the file was transferred to an attacker-controlled server. + +### False positive analysis + +- Backup software can use these utilities. Check the `process.parent.executable` and `process.parent.command_line` fields to determine what triggered the encryption. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Prioritize cases that involve personally identifiable information (PII) or other classified data. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and +( + ( + ( + process.name:"rar.exe" or process.code_signature.subject_name == "win.rar GmbH" or + process.pe.original_file_name == "Command line RAR" + ) and + process.args == "a" and process.args : ("-hp*", "-p*", "/hp*", "/p*") + ) or + ( + process.pe.original_file_name in ("7z.exe", "7za.exe") and + process.args == "a" and process.args : "-p*" + ) +) and + not process.parent.executable : ( + "C:\\Program Files\\*.exe", + "C:\\Program Files (x86)\\*.exe", + "?:\\ManageEngine\\*\\jre\\bin\\java.exe", + "?:\\Nox\\bin\\Nox.exe" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Archive Collected Data +** ID: T1560 +** Reference URL: https://attack.mitre.org/techniques/T1560/ +* Sub-technique: +** Name: Archive via Utility +** ID: T1560.001 +** Reference URL: https://attack.mitre.org/techniques/T1560/001/ +* Technique: +** Name: Data from Local System +** ID: T1005 +** Reference URL: https://attack.mitre.org/techniques/T1005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-enumeration-command-spawned-via-wmiprvse.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-enumeration-command-spawned-via-wmiprvse.asciidoc new file mode 100644 index 0000000000..30a35c3c6c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-enumeration-command-spawned-via-wmiprvse.asciidoc @@ -0,0 +1,122 @@ +[[prebuilt-rule-8-11-3-enumeration-command-spawned-via-wmiprvse]] +=== Enumeration Command Spawned via WMIPrvSE + +Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE). + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.name: + ( + "arp.exe", + "dsquery.exe", + "dsget.exe", + "gpresult.exe", + "hostname.exe", + "ipconfig.exe", + "nbtstat.exe", + "net.exe", + "net1.exe", + "netsh.exe", + "netstat.exe", + "nltest.exe", + "ping.exe", + "qprocess.exe", + "quser.exe", + "qwinsta.exe", + "reg.exe", + "sc.exe", + "systeminfo.exe", + "tasklist.exe", + "tracert.exe", + "whoami.exe" + ) and + process.parent.name:"wmiprvse.exe" and + not ( + process.name : "sc.exe" and process.args : "RemoteRegistry" and process.args : "start=" and + process.args : ("demand", "disabled") + ) and + not process.args : "tenable_mw_scan" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Windows Management Instrumentation +** ID: T1047 +** Reference URL: https://attack.mitre.org/techniques/T1047/ +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Remote System Discovery +** ID: T1018 +** Reference URL: https://attack.mitre.org/techniques/T1018/ +* Technique: +** Name: Account Discovery +** ID: T1087 +** Reference URL: https://attack.mitre.org/techniques/T1087/ +* Technique: +** Name: Software Discovery +** ID: T1518 +** Reference URL: https://attack.mitre.org/techniques/T1518/ +* Technique: +** Name: System Network Configuration Discovery +** ID: T1016 +** Reference URL: https://attack.mitre.org/techniques/T1016/ +* Sub-technique: +** Name: Internet Connection Discovery +** ID: T1016.001 +** Reference URL: https://attack.mitre.org/techniques/T1016/001/ +* Technique: +** Name: Process Discovery +** ID: T1057 +** Reference URL: https://attack.mitre.org/techniques/T1057/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-enumeration-of-administrator-accounts.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-enumeration-of-administrator-accounts.asciidoc new file mode 100644 index 0000000000..69d9cbf954 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-enumeration-of-administrator-accounts.asciidoc @@ -0,0 +1,137 @@ +[[prebuilt-rule-8-11-3-enumeration-of-administrator-accounts]] +=== Enumeration of Administrator Accounts + +Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Discovery +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Enumeration of Administrator Accounts + +After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software. + +This rule looks for the execution of the `net` and `wmic` utilities to enumerate administrator-related users or groups in the domain and local machine scope. Attackers can use this information to plan their next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed. + +### Related rules + +- AdFind Command Activity - eda499b8-a073-4e35-9733-22ec71f57f3a + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and +( + (((process.name : "net.exe" or process.pe.original_file_name == "net.exe") or + ((process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and + not process.parent.name : "net.exe")) and + process.args : ("group", "user", "localgroup") and + process.args : ("*admin*", "Domain Admins", "Remote Desktop Users", "Enterprise Admins", "Organization Management") and + not process.args : "/add") + + or + + ((process.name : "wmic.exe" or process.pe.original_file_name == "wmic.exe") and + process.args : ("group", "useraccount")) +) and not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Permission Groups Discovery +** ID: T1069 +** Reference URL: https://attack.mitre.org/techniques/T1069/ +* Sub-technique: +** Name: Local Groups +** ID: T1069.001 +** Reference URL: https://attack.mitre.org/techniques/T1069/001/ +* Sub-technique: +** Name: Domain Groups +** ID: T1069.002 +** Reference URL: https://attack.mitre.org/techniques/T1069/002/ +* Technique: +** Name: Account Discovery +** ID: T1087 +** Reference URL: https://attack.mitre.org/techniques/T1087/ +* Sub-technique: +** Name: Local Account +** ID: T1087.001 +** Reference URL: https://attack.mitre.org/techniques/T1087/001/ +* Sub-technique: +** Name: Domain Account +** ID: T1087.002 +** Reference URL: https://attack.mitre.org/techniques/T1087/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-enumeration-of-kernel-modules.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-enumeration-of-kernel-modules.asciidoc new file mode 100644 index 0000000000..d638b6c9e2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-enumeration-of-kernel-modules.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-8-11-3-enumeration-of-kernel-modules]] +=== Enumeration of Kernel Modules + +Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Defend + +*Version*: 207 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:linux and event.type:start and ( + (process.name:(lsmod or modinfo)) or + (process.name:kmod and process.args:list) or + (process.name:depmod and process.args:(--all or -a)) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: System Information Discovery +** ID: T1082 +** Reference URL: https://attack.mitre.org/techniques/T1082/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-enumeration-of-privileged-local-groups-membership.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-enumeration-of-privileged-local-groups-membership.asciidoc new file mode 100644 index 0000000000..57818819c2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-enumeration-of-privileged-local-groups-membership.asciidoc @@ -0,0 +1,159 @@ +[[prebuilt-rule-8-11-3-enumeration-of-privileged-local-groups-membership]] +=== Enumeration of Privileged Local Groups Membership + +Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users. + +*Rule type*: new_terms + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Discovery +* Resources: Investigation Guide + +*Version*: 209 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Enumeration of Privileged Local Groups Membership + +After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software. + +This rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Identify the process, host and user involved on the event. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed. +- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:windows and event.category:iam and event.action:user-member-enumerated and + ( + group.name:(*Admin* or "RemoteDesktopUsers") or + winlog.event_data.TargetSid:("S-1-5-32-544" or "S-1-5-32-555") + ) and + not (winlog.event_data.SubjectUserName: (*$ or "LOCAL SERVICE" or "NETWORK SERVICE") or + winlog.event_data.CallerProcessName:("-" or + *\:\\\\Windows\\\\System32\\\\VSSVC.exe or + *\:\\\\Windows\\\\System32\\\\SearchIndexer.exe or + *\:\\\\Windows\\\\System32\\\\CompatTelRunner.exe or + *\:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe or + *\:\\\\Windows\\\\System32\\\\net1.exe or + *\:\\\\Windows\\\\System32\\\\svchost.exe or + *\:\\\\Windows\\\\System32\\\\Netplwiz.exe or + *\:\\\\Windows\\\\System32\\\\msiexec.exe or + *\:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe or + *\:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe or + *\:\\\\Windows\\\\System32\\\\SrTasks.exe or + *\:\\\\Windows\\\\System32\\\\diskshadow.exe or + *\:\\\\Windows\\\\System32\\\\dfsrs.exe or + *\:\\\\Windows\\\\System32\\\\vssadmin.exe or + *\:\\\\Windows\\\\System32\\\\dllhost.exe or + *\:\\\\Windows\\\\System32\\\\mmc.exe or + *\:\\\\Windows\\\\System32\\\\SettingSyncHost.exe or + *\:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe or + *\:\\\\Windows\\\\System32\\\\wsmprovhost.exe or + *\:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\x3jobt3?.exe or + *\:\\\\Windows\\\\System32\\\\mstsc.exe or + *\:\\\\Windows\\\\System32\\\\esentutl.exe or + *\:\\\\Windows\\\\System32\\\\RecoveryDrive.exe or + *\:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe or + *\:\\\\Windows\\\\SysWOW64\\\\msiexec.exe or + *\:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe or + *\:\\\\Windows\\\\Temp\\\\rubrik_vmware???\\\\snaptool.exe or + *\:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe or + ?\:\\\\WindowsAzure\\\\*WaAppAgent.exe or + ?\:\\\\Program?Files?\(x86\)\\\\*.exe or + ?\:\\\\Program?Files\\\\*.exe or + ?\:\\\\$WINDOWS.~BT\\\\Sources\\\\*.exe + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Permission Groups Discovery +** ID: T1069 +** Reference URL: https://attack.mitre.org/techniques/T1069/ +* Sub-technique: +** Name: Local Groups +** ID: T1069.001 +** Reference URL: https://attack.mitre.org/techniques/T1069/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-enumeration-of-users-or-groups-via-built-in-commands.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-enumeration-of-users-or-groups-via-built-in-commands.asciidoc new file mode 100644 index 0000000000..3234b7b46e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-enumeration-of-users-or-groups-via-built-in-commands.asciidoc @@ -0,0 +1,90 @@ +[[prebuilt-rule-8-11-3-enumeration-of-users-or-groups-via-built-in-commands]] +=== Enumeration of Users or Groups via Built-in Commands + +Identifies the execution of macOS built-in commands related to account or group enumeration. Adversaries may use account and group information to orient themselves before deciding how to act. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and + ( + process.name : ("ldapsearch", "dsmemberutil") or + (process.name : "dscl" and + process.args : ("read", "-read", "list", "-list", "ls", "search", "-search") and + process.args : ("/Active Directory/*", "/Users*", "/Groups*")) + ) and + not process.parent.executable : ("/Applications/NoMAD.app/Contents/MacOS/NoMAD", + "/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence", + "/Applications/Sourcetree.app/Contents/MacOS/Sourcetree", + "/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon", + "/Applications/Jamf Connect.app/Contents/MacOS/Jamf Connect", + "/usr/local/jamf/bin/jamf", + "/Library/Application Support/AirWatch/hubd", + "/opt/jc/bin/jumpcloud-agent", + "/Applications/ESET Endpoint Antivirus.app/Contents/MacOS/esets_daemon", + "/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_daemon", + "/Library/PrivilegedHelperTools/com.fortinet.forticlient.uninstall_helper" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Permission Groups Discovery +** ID: T1069 +** Reference URL: https://attack.mitre.org/techniques/T1069/ +* Sub-technique: +** Name: Local Groups +** ID: T1069.001 +** Reference URL: https://attack.mitre.org/techniques/T1069/001/ +* Technique: +** Name: Account Discovery +** ID: T1087 +** Reference URL: https://attack.mitre.org/techniques/T1087/ +* Sub-technique: +** Name: Local Account +** ID: T1087.001 +** Reference URL: https://attack.mitre.org/techniques/T1087/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-esxi-discovery-via-find.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-esxi-discovery-via-find.asciidoc new file mode 100644 index 0000000000..7f5c4831b9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-esxi-discovery-via-find.asciidoc @@ -0,0 +1,62 @@ +[[prebuilt-rule-8-11-3-esxi-discovery-via-find]] +=== ESXI Discovery via Find + +Identifies instances where the 'find' command is started on a Linux system with arguments targeting specific VM-related paths, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". These paths are associated with VMware virtualization software, and their presence in the find command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM-related files and configurations on the system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and process.name : "find" and +process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Software Discovery +** ID: T1518 +** Reference URL: https://attack.mitre.org/techniques/T1518/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-esxi-discovery-via-grep.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-esxi-discovery-via-grep.asciidoc new file mode 100644 index 0000000000..fa31075ffc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-esxi-discovery-via-grep.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-8-11-3-esxi-discovery-via-grep]] +=== ESXI Discovery via Grep + +Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments related to virtual machine (VM) files, such as "vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", or "vmem". These file extensions are associated with VM-related file formats, and their presence in grep command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +process.name in ("grep", "egrep", "pgrep") and +process.args in ("vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", "vmem") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Software Discovery +** ID: T1518 +** Reference URL: https://attack.mitre.org/techniques/T1518/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-esxi-timestomping-using-touch-command.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-esxi-timestomping-using-touch-command.asciidoc new file mode 100644 index 0000000000..89ae607ff2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-esxi-timestomping-using-touch-command.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-8-11-3-esxi-timestomping-using-touch-command]] +=== ESXI Timestomping using Touch Command + +Identifies instances where the 'touch' command is executed on a Linux system with the "-r" flag, which is used to modify the timestamp of a file based on another file's timestamp. The rule targets specific VM-related paths, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". These paths are associated with VMware virtualization software, and their presence in the touch command arguments may indicate that a threat actor is attempting to tamper with timestamps of VM-related files and configurations on the system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +process.name : "touch" and process.args : "-r" and process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: Timestomp +** ID: T1070.006 +** Reference URL: https://attack.mitre.org/techniques/T1070/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-executable-file-creation-with-multiple-extensions.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-executable-file-creation-with-multiple-extensions.asciidoc new file mode 100644 index 0000000000..7a6eb3aeb2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-executable-file-creation-with-multiple-extensions.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-8-11-3-executable-file-creation-with-multiple-extensions]] +=== Executable File Creation with Multiple Extensions + +Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type == "creation" and file.extension : "exe" and + file.name regex~ """.*\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\.exe""" and + not (process.executable : ("?:\\Windows\\System32\\msiexec.exe", "C:\\Users\\*\\QGIS_SCCM\\Files\\QGIS-OSGeo4W-*-Setup-x86_64.exe") and + file.path : "?:\\Program Files\\QGIS *\\apps\\grass\\*.exe") and + not process.executable : ("/bin/sh", "/usr/sbin/MailScanner", "/usr/bin/perl") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Double File Extension +** ID: T1036.007 +** Reference URL: https://attack.mitre.org/techniques/T1036/007/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: User Execution +** ID: T1204 +** Reference URL: https://attack.mitre.org/techniques/T1204/ +* Sub-technique: +** Name: Malicious File +** ID: T1204.002 +** Reference URL: https://attack.mitre.org/techniques/T1204/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-execution-from-unusual-directory-command-line.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-execution-from-unusual-directory-command-line.asciidoc new file mode 100644 index 0000000000..12a9037507 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-execution-from-unusual-directory-command-line.asciidoc @@ -0,0 +1,244 @@ +[[prebuilt-rule-8-11-3-execution-from-unusual-directory-command-line]] +=== Execution from Unusual Directory - Command Line + +Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Execution from Unusual Directory - Command Line + +This rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to hide malware and make the execution less suspicious. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Examine the command line to determine which commands or scripts were executed. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the script using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of parent process executable and command line conditions. + +### Related rules + +- Process Execution from an Unusual Directory - ebfe1448-7fac-4d59-acea-181bd89b1f7f + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.name : ("wscript.exe", + "cscript.exe", + "rundll32.exe", + "regsvr32.exe", + "cmstp.exe", + "RegAsm.exe", + "installutil.exe", + "mshta.exe", + "RegSvcs.exe", + "powershell.exe", + "pwsh.exe", + "cmd.exe") and + + /* add suspicious execution paths here */ + process.args : ("C:\\PerfLogs\\*", + "C:\\Users\\Public\\*", + "C:\\Windows\\Tasks\\*", + "C:\\Intel\\*", + "C:\\AMD\\Temp\\*", + "C:\\Windows\\AppReadiness\\*", + "C:\\Windows\\ServiceState\\*", + "C:\\Windows\\security\\*", + "C:\\Windows\\IdentityCRL\\*", + "C:\\Windows\\Branding\\*", + "C:\\Windows\\csc\\*", + "C:\\Windows\\DigitalLocker\\*", + "C:\\Windows\\en-US\\*", + "C:\\Windows\\wlansvc\\*", + "C:\\Windows\\Prefetch\\*", + "C:\\Windows\\Fonts\\*", + "C:\\Windows\\diagnostics\\*", + "C:\\Windows\\TAPI\\*", + "C:\\Windows\\INF\\*", + "C:\\Windows\\System32\\Speech\\*", + "C:\\windows\\tracing\\*", + "c:\\windows\\IME\\*", + "c:\\Windows\\Performance\\*", + "c:\\windows\\intel\\*", + "c:\\windows\\ms\\*", + "C:\\Windows\\dot3svc\\*", + "C:\\Windows\\panther\\*", + "C:\\Windows\\RemotePackages\\*", + "C:\\Windows\\OCR\\*", + "C:\\Windows\\appcompat\\*", + "C:\\Windows\\apppatch\\*", + "C:\\Windows\\addins\\*", + "C:\\Windows\\Setup\\*", + "C:\\Windows\\Help\\*", + "C:\\Windows\\SKB\\*", + "C:\\Windows\\Vss\\*", + "C:\\Windows\\servicing\\*", + "C:\\Windows\\CbsTemp\\*", + "C:\\Windows\\Logs\\*", + "C:\\Windows\\WaaS\\*", + "C:\\Windows\\twain_32\\*", + "C:\\Windows\\ShellExperiences\\*", + "C:\\Windows\\ShellComponents\\*", + "C:\\Windows\\PLA\\*", + "C:\\Windows\\Migration\\*", + "C:\\Windows\\debug\\*", + "C:\\Windows\\Cursors\\*", + "C:\\Windows\\Containers\\*", + "C:\\Windows\\Boot\\*", + "C:\\Windows\\bcastdvr\\*", + "C:\\Windows\\TextInput\\*", + "C:\\Windows\\security\\*", + "C:\\Windows\\schemas\\*", + "C:\\Windows\\SchCache\\*", + "C:\\Windows\\Resources\\*", + "C:\\Windows\\rescache\\*", + "C:\\Windows\\Provisioning\\*", + "C:\\Windows\\PrintDialog\\*", + "C:\\Windows\\PolicyDefinitions\\*", + "C:\\Windows\\media\\*", + "C:\\Windows\\Globalization\\*", + "C:\\Windows\\L2Schemas\\*", + "C:\\Windows\\LiveKernelReports\\*", + "C:\\Windows\\ModemLogs\\*", + "C:\\Windows\\ImmersiveControlPanel\\*", + "C:\\$Recycle.Bin\\*") and + + /* noisy FP patterns */ + + not process.parent.executable : ("C:\\WINDOWS\\System32\\DriverStore\\FileRepository\\*\\igfxCUIService*.exe", + "C:\\Windows\\System32\\spacedeskService.exe", + "C:\\Program Files\\Dell\\SupportAssistAgent\\SRE\\SRE.exe") and + not (process.name : "rundll32.exe" and + process.args : ("uxtheme.dll,#64", + "PRINTUI.DLL,PrintUIEntry", + "?:\\Windows\\System32\\FirewallControlPanel.dll,ShowNotificationDialog", + "?:\\WINDOWS\\system32\\Speech\\SpeechUX\\sapi.cpl", + "?:\\Windows\\system32\\shell32.dll,OpenAs_RunDLL")) and + + not (process.name : "cscript.exe" and process.args : "?:\\WINDOWS\\system32\\calluxxprovider.vbs") and + + not (process.name : "cmd.exe" and process.args : "?:\\WINDOWS\\system32\\powercfg.exe" and process.args : "?:\\WINDOWS\\inf\\PowerPlan.log") and + + not (process.name : "regsvr32.exe" and process.args : "?:\\Windows\\Help\\OEM\\scripts\\checkmui.dll") and + + not (process.name : "cmd.exe" and + process.parent.executable : ("?:\\Windows\\System32\\oobe\\windeploy.exe", + "?:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe", + "?:\\Windows\\System32\\igfxCUIService.exe", + "?:\\Windows\\Temp\\IE*.tmp\\IE*-support\\ienrcore.exe")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Match Legitimate Name or Location +** ID: T1036.005 +** Reference URL: https://attack.mitre.org/techniques/T1036/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-execution-of-com-object-via-xwizard.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-execution-of-com-object-via-xwizard.asciidoc new file mode 100644 index 0000000000..719853a6b3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-execution-of-com-object-via-xwizard.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-8-11-3-execution-of-com-object-via-xwizard]] +=== Execution of COM object via Xwizard + +Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to run a COM object created in registry to evade defensive counter measures. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ +* http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.pe.original_file_name : "xwizard.exe" and + ( + (process.args : "RunWizard" and process.args : "{*}") or + (process.executable != null and + not process.executable : ("C:\\Windows\\SysWOW64\\xwizard.exe", "C:\\Windows\\System32\\xwizard.exe") + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Inter-Process Communication +** ID: T1559 +** Reference URL: https://attack.mitre.org/techniques/T1559/ +* Sub-technique: +** Name: Component Object Model +** ID: T1559.001 +** Reference URL: https://attack.mitre.org/techniques/T1559/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-execution-via-local-sxs-shared-module.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-execution-via-local-sxs-shared-module.asciidoc new file mode 100644 index 0000000000..ae2454010e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-execution-via-local-sxs-shared-module.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-8-11-3-execution-via-local-sxs-shared-module]] +=== Execution via local SxS Shared Module + +Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local paths. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +The SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory. + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and file.extension : "dll" and file.path : "C:\\*\\*.exe.local\\*.dll" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Shared Modules +** ID: T1129 +** Reference URL: https://attack.mitre.org/techniques/T1129/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-execution-via-mssql-xp-cmdshell-stored-procedure.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-execution-via-mssql-xp-cmdshell-stored-procedure.asciidoc new file mode 100644 index 0000000000..90be3ebbe6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-execution-via-mssql-xp-cmdshell-stored-procedure.asciidoc @@ -0,0 +1,134 @@ +[[prebuilt-rule-8-11-3-execution-via-mssql-xp-cmdshell-stored-procedure]] +=== Execution via MSSQL xp_cmdshell Stored Procedure + +Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Execution via MSSQL xp_cmdshell Stored Procedure + +Microsoft SQL Server (MSSQL) has procedures meant to extend its functionality, the Extended Stored Procedures. These procedures are external functions written in C/C++; some provide interfaces for external programs. This is the case for xp_cmdshell, which spawns a Windows command shell and passes in a string for execution. Attackers can use this to execute commands on the system running the SQL server, commonly to escalate their privileges and establish persistence. + +The xp_cmdshell procedure is disabled by default, but when used, it has the same security context as the MSSQL Server service account, which is often privileged. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Examine the command line to determine if the command executed is potentially harmful or malicious. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. + +### False positive analysis + +- This mechanism can be used legitimately, but it brings inherent risk. The security team must monitor any activity of it. If recurrent tasks are being executed using this mechanism, consider adding exceptions — preferably with a full command line. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Ensure that SQL servers are not directly exposed to the internet. If there is a business justification for such, use an allowlist to allow only connections from known legitimate sources. +- Disable the xp_cmdshell stored procedure. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and process.parent.name : "sqlservr.exe" and + ( + (process.name : "cmd.exe" and + not process.args : ("\\\\*", "diskfree", "rmdir", "mkdir", "dir", "del", "rename", "bcp", "*XMLNAMESPACES*", + "?:\\MSSQL\\Backup\\Jobs\\sql_agent_backup_job.ps1", "K:\\MSSQL\\Backup\\msdb", "K:\\MSSQL\\Backup\\Logins")) or + + (process.name : "vpnbridge.exe" or process.pe.original_file_name : "vpnbridge.exe") or + + (process.name : "certutil.exe" or process.pe.original_file_name == "CertUtil.exe") or + + (process.name : "bitsadmin.exe" or process.pe.original_file_name == "bitsadmin.exe") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Server Software Component +** ID: T1505 +** Reference URL: https://attack.mitre.org/techniques/T1505/ +* Sub-technique: +** Name: SQL Stored Procedures +** ID: T1505.001 +** Reference URL: https://attack.mitre.org/techniques/T1505/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-execution-via-tsclient-mountpoint.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-execution-via-tsclient-mountpoint.asciidoc new file mode 100644 index 0000000000..05f3cf0efe --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-execution-via-tsclient-mountpoint.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-11-3-execution-via-tsclient-mountpoint]] +=== Execution via TSClient Mountpoint + +Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and process.executable : "\\Device\\Mup\\tsclient\\*.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: Remote Desktop Protocol +** ID: T1021.001 +** Reference URL: https://attack.mitre.org/techniques/T1021/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-exporting-exchange-mailbox-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-exporting-exchange-mailbox-via-powershell.asciidoc new file mode 100644 index 0000000000..6962a1264a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-exporting-exchange-mailbox-via-powershell.asciidoc @@ -0,0 +1,139 @@ +[[prebuilt-rule-8-11-3-exporting-exchange-mailbox-via-powershell]] +=== Exporting Exchange Mailbox via PowerShell + +Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ +* https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Collection +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Exporting Exchange Mailbox via PowerShell + +Email mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors. + +The `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange. + +Attackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate the export operation: + - Identify the user account that performed the action and whether it should perform this kind of action. + - Contact the account owner and confirm whether they are aware of this activity. + - Check if this operation was approved and performed according to the organization's change management policy. + - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests. + - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the "Mailbox Import Export" privilege for abnormal activity. +- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export. +- If the operation was completed successfully: + - Check if the file is on the path specified in the command. + - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration. + +### False positive analysis + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior. +- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests. +- Prioritize cases that involve personally identifiable information (PII) or other classified data. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Review the privileges of users with the "Mailbox Import Export" privilege to ensure that the least privilege principle is being followed. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.name: ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and + process.command_line : ("*MailboxExportRequest*", "*-Mailbox*-ContentFilter*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Data from Local System +** ID: T1005 +** Reference URL: https://attack.mitre.org/techniques/T1005/ +* Technique: +** Name: Email Collection +** ID: T1114 +** Reference URL: https://attack.mitre.org/techniques/T1114/ +* Sub-technique: +** Name: Remote Email Collection +** ID: T1114.002 +** Reference URL: https://attack.mitre.org/techniques/T1114/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-file-creation-execution-and-self-deletion-in-suspicious-directory.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-file-creation-execution-and-self-deletion-in-suspicious-directory.asciidoc new file mode 100644 index 0000000000..db271ac699 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-file-creation-execution-and-self-deletion-in-suspicious-directory.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-11-3-file-creation-execution-and-self-deletion-in-suspicious-directory]] +=== File Creation, Execution and Self-Deletion in Suspicious Directory + +This rule monitors for the creation of a file, followed by its execution and self-deletion in a short timespan within a directory often used for malicious purposes by threat actors. This behavior is often used by malware to execute malicious code and delete itself to hide its tracks. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, user.id with maxspan=1m + [file where host.os.type == "linux" and event.action == "creation" and + process.name in ("curl", "wget", "fetch", "ftp", "sftp", "scp", "rsync", "ld") and + file.path : ("/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", + "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*")] by file.name + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] by process.name + [file where host.os.type == "linux" and event.action == "deletion" and not process.name in ("rm", "ld") and + file.path : ("/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", + "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*")] by file.name + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-file-deletion-via-shred.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-file-deletion-via-shred.asciidoc new file mode 100644 index 0000000000..7da90b8296 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-file-deletion-via-shred.asciidoc @@ -0,0 +1,64 @@ +[[prebuilt-rule-8-11-3-file-deletion-via-shred]] +=== File Deletion via Shred + +Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:linux and event.type:start and process.name:shred and +process.args:("-u" or "--remove" or "-z" or "--zero") and not process.parent.name:logrotate + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: File Deletion +** ID: T1070.004 +** Reference URL: https://attack.mitre.org/techniques/T1070/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-file-made-immutable-by-chattr.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-file-made-immutable-by-chattr.asciidoc new file mode 100644 index 0000000000..6156729513 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-file-made-immutable-by-chattr.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-11-3-file-made-immutable-by-chattr]] +=== File made Immutable by Chattr + +Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.). + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 33 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and user.name == "root" and + process.executable : "/usr/bin/chattr" and process.args : ("-*i*", "+*i*") and + not process.parent.executable: ("/lib/systemd/systemd", "/usr/local/uems_agent/bin/*", "/usr/lib/systemd/systemd") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: File and Directory Permissions Modification +** ID: T1222 +** Reference URL: https://attack.mitre.org/techniques/T1222/ +* Sub-technique: +** Name: Linux and Mac File and Directory Permissions Modification +** ID: T1222.002 +** Reference URL: https://attack.mitre.org/techniques/T1222/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-file-permission-modification-in-writable-directory.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-file-permission-modification-in-writable-directory.asciidoc new file mode 100644 index 0000000000..6e8a3508f7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-file-permission-modification-in-writable-directory.asciidoc @@ -0,0 +1,62 @@ +[[prebuilt-rule-8-11-3-file-permission-modification-in-writable-directory]] +=== File Permission Modification in Writable Directory + +Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution. + +*Rule type*: new_terms + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 207 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:linux and event.category:process and event.type:start and +process.name:(chmod or chown or chattr or chgrp) and +process.working_directory:("/tmp" or "/var/tmp" or "/dev/shm") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: File and Directory Permissions Modification +** ID: T1222 +** Reference URL: https://attack.mitre.org/techniques/T1222/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-file-transfer-or-listener-established-via-netcat.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-file-transfer-or-listener-established-via-netcat.asciidoc new file mode 100644 index 0000000000..d03e8eaa8b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-file-transfer-or-listener-established-via-netcat.asciidoc @@ -0,0 +1,133 @@ +[[prebuilt-rule-8-11-3-file-transfer-or-listener-established-via-netcat]] +=== File Transfer or Listener Established via Netcat + +A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet +* https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf +* https://en.wikipedia.org/wiki/Netcat +* https://www.hackers-arise.com/hacking-fundamentals +* https://null-byte.wonderhowto.com/how-to/hack-like-pro-use-netcat-swiss-army-knife-hacking-tools-0148657/ +* https://levelup.gitconnected.com/ethical-hacking-part-15-netcat-nc-and-netcat-f6a8f7df43fd + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Netcat Network Activity + +Netcat is a dual-use command line tool that can be used for various purposes, such as port scanning, file transfers, and connection tests. Attackers can abuse its functionality for malicious purposes such creating bind shells or reverse shells to gain access to the target system. + +A reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing. + +A bind shell is a type of backdoor that attackers set up on the target host and binds to a specific port to listen for an incoming connection from the attacker. + +This rule identifies potential reverse shell or bind shell activity using Netcat by checking for the execution of Netcat followed by a network connection. + +#### Possible investigation steps + +- Examine the command line to identify if the command is suspicious. +- Extract and examine the target domain or IP address. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections. +- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes. + +### False positive analysis + +- Netcat is a dual-use tool that can be used for benign or malicious activity. It is included in some Linux distributions, so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Block the identified indicators of compromise (IoCs). +- Take actions to terminate processes and connections used by the attacker. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id + [process where host.os.type == "linux" and event.type == "start" and + process.name:("nc","ncat","netcat","netcat.openbsd","netcat.traditional") and ( + /* bind shell to echo for command execution */ + (process.args:("-l","-p") and process.args:("-c","echo","$*")) + /* bind shell to specific port */ + or process.args:("-l","-p","-lp") + /* reverse shell to command-line interpreter used for command execution */ + or (process.args:("-e") and process.args:("/bin/bash","/bin/sh")) + /* file transfer via stdout */ + or process.args:(">","<") + /* file transfer via pipe */ + or (process.args:("|") and process.args:("nc","ncat")) + )] + [network where host.os.type == "linux" and (process.name == "nc" or process.name == "ncat" or process.name == "netcat" or + process.name == "netcat.openbsd" or process.name == "netcat.traditional")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-firsttime-seen-account-performing-dcsync.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-firsttime-seen-account-performing-dcsync.asciidoc new file mode 100644 index 0000000000..99074be12d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-firsttime-seen-account-performing-dcsync.asciidoc @@ -0,0 +1,136 @@ +[[prebuilt-rule-8-11-3-firsttime-seen-account-performing-dcsync]] +=== FirstTime Seen Account Performing DCSync + +This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain. + +*Rule type*: new_terms + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html +* https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing +* https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml +* https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md +* https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync +* https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Privilege Escalation +* Use Case: Active Directory Monitoring +* Data Source: Active Directory +* Resources: Investigation Guide + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating FirstTime Seen Account Performing DCSync + +Active Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data. + +Active Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object. + +Adversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys that are used legitimately for creating tickets, but also for forging tickets by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate. + +More details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync). + +This rule monitors for when a Windows Event ID 4662 (Operation was performed on an Active Directory object) with the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set) is seen in the environment for the first time in the last 15 days. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account and system owners and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not. +- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones). + +### False positive analysis + +- Administrators may use custom accounts on Azure AD Connect; investigate if this is part of a new Azure AD account setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert. +- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. Investigate if this is part of a new product setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If the entire domain or the `krbtgt` user was compromised: + - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user. +- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.action:"Directory Service Access" and event.code:"4662" and + winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or + *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or + *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and + not winlog.event_data.SubjectUserName:(*$ or MSOL_*) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: DCSync +** ID: T1003.006 +** Reference URL: https://attack.mitre.org/techniques/T1003/006/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Domain Accounts +** ID: T1078.002 +** Reference URL: https://attack.mitre.org/techniques/T1078/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-group-policy-abuse-for-privilege-addition.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-group-policy-abuse-for-privilege-addition.asciidoc new file mode 100644 index 0000000000..bcc2b565cc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-group-policy-abuse-for-privilege-addition.asciidoc @@ -0,0 +1,108 @@ +[[prebuilt-rule-8-11-3-group-policy-abuse-for-privilege-addition]] +=== Group Policy Abuse for Privilege Addition + +Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md +* https://labs.f-secure.com/tools/sharpgpoabuse + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Active Directory +* Resources: Investigation Guide +* Use Case: Active Directory Monitoring + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Group Policy Abuse for Privilege Addition + +Group Policy Objects (GPOs) can be used to add rights and/or modify Group Membership on GPOs by changing the contents of an INF file named GptTmpl.inf, which is responsible for storing every setting under the Security Settings container in the GPO. This file is unique for each GPO, and only exists if the GPO contains security settings. Example Path: "\\DC.com\SysVol\DC.com\Policies\{PolicyGUID}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf" + +#### Possible investigation steps + +- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation. +- Retrieve the contents of the `GptTmpl.inf` file, and under the `Privilege Rights` section, look for potentially dangerous high privileges, for example: SeTakeOwnershipPrivilege, SeEnableDelegationPrivilege, etc. +- Inspect the user security identifiers (SIDs) associated with these privileges, and if they should have these privileges. + +### False positive analysis + +- Inspect whether the user that has done the modifications should be allowed to. The user name can be found in the `winlog.event_data.SubjectUserName` field. + +### Related rules + +- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e +- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- The investigation and containment must be performed in every computer controlled by the GPO, where necessary. +- Remove the script from the GPO. +- Check if other GPOs have suspicious scripts attached. + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.code: "5136" and + winlog.event_data.AttributeLDAPDisplayName:"gPCMachineExtensionNames" and + winlog.event_data.AttributeValue:(*827D319E-6EAC-11D2-A4EA-00C04F79F83A* and *803E14A0-B4FB-11D0-A0D0-00A0C90F574B*) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Domain Policy Modification +** ID: T1484 +** Reference URL: https://attack.mitre.org/techniques/T1484/ +* Sub-technique: +** Name: Group Policy Modification +** ID: T1484.001 +** Reference URL: https://attack.mitre.org/techniques/T1484/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-high-number-of-process-terminations.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-high-number-of-process-terminations.asciidoc new file mode 100644 index 0000000000..af2b4209d5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-high-number-of-process-terminations.asciidoc @@ -0,0 +1,103 @@ +[[prebuilt-rule-8-11-3-high-number-of-process-terminations]] +=== High Number of Process Terminations + +This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period. + +*Rule type*: threshold + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Impact +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 110 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating High Number of Process Terminations + +Attackers can kill processes for a variety of purposes. For example, they can kill process associated with business applications and databases to release the lock on files used by these applications so they may be encrypted,or stop security and backup solutions, etc. + +This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period. + +#### Possible investigation steps + +- Examine the entry point to the host and user in action via the Analyse View. + - Identify the session entry leader and session user. +- Examine the contents of session leading to the process termination(s) via the Session View. + - Examine the command execution pattern in the session, which may lead to suspricous activities. +- Examine the process killed during the malicious execution + - Identify imment threat to the system from the process killed. + - Take necessary incident response actions to respawn necessary process. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Reimage the host operating system or restore it to the operational state. +- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:linux and event.type:start and process.name:"pkill" and process.args:"-f" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Service Stop +** ID: T1489 +** Reference URL: https://attack.mitre.org/techniques/T1489/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-hosts-file-modified.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-hosts-file-modified.asciidoc new file mode 100644 index 0000000000..bee512c32b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-hosts-file-modified.asciidoc @@ -0,0 +1,127 @@ +[[prebuilt-rule-8-11-3-hosts-file-modified]] +=== Hosts File Modified + +The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* OS: Windows +* OS: macOS +* Use Case: Threat Detection +* Tactic: Impact +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Hosts File Modified + +Operating systems use the hosts file to map a connection between an IP address and domain names before going to domain name servers. Attackers can abuse this mechanism to route traffic to malicious infrastructure or disrupt security that depends on server communications. For example, Russian threat actors modified this file on a domain controller to redirect Duo MFA calls to localhost instead of the Duo server, which prevented the MFA service from contacting its server to validate MFA login. This effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to "Fail open" if the MFA server is unreachable. This can happen in any MFA implementation and is not exclusive to Duo. Find more details in this [CISA Alert](https://www.cisa.gov/uscert/ncas/alerts/aa22-074a). + +This rule identifies modifications in the hosts file across multiple operating systems using process creation events for Linux and file events in Windows and macOS. + +#### Possible investigation steps + +- Identify the specifics of the involved assets, such as role, criticality, and associated users. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Examine the changes to the hosts file by comparing it against file backups, volume shadow copies, and other restoration mechanisms. + +### False positive analysis + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and the configuration was justified. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Consider isolating the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Review the privileges of the administrator account that performed the action. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +any where + + /* file events for creation; file change events are not captured by some of the included sources for linux and so may + miss this, which is the purpose of the process + command line args logic below */ + ( + event.category == "file" and event.type in ("change", "creation") and + file.path : ("/private/etc/hosts", "/etc/hosts", "?:\\Windows\\System32\\drivers\\etc\\hosts") and + not process.name in ("dockerd", "rootlesskit", "podman", "crio") + ) + or + + /* process events for change targeting linux only */ + ( + event.category == "process" and event.type in ("start") and + process.name in ("nano", "vim", "vi", "emacs", "echo", "sed") and + process.args : ("/etc/hosts") and + not process.parent.name in ("dhclient-script", "google_set_hostname") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Manipulation +** ID: T1565 +** Reference URL: https://attack.mitre.org/techniques/T1565/ +* Sub-technique: +** Name: Stored Data Manipulation +** ID: T1565.001 +** Reference URL: https://attack.mitre.org/techniques/T1565/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-hping-process-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-hping-process-activity.asciidoc new file mode 100644 index 0000000000..a6f0849538 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-hping-process-activity.asciidoc @@ -0,0 +1,65 @@ +[[prebuilt-rule-8-11-3-hping-process-activity]] +=== Hping Process Activity + +Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://en.wikipedia.org/wiki/Hping + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" +and process.name in ("hping", "hping2", "hping3") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: System Information Discovery +** ID: T1082 +** Reference URL: https://attack.mitre.org/techniques/T1082/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-iis-http-logging-disabled.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-iis-http-logging-disabled.asciidoc new file mode 100644 index 0000000000..26aedf6395 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-iis-http-logging-disabled.asciidoc @@ -0,0 +1,113 @@ +[[prebuilt-rule-8-11-3-iis-http-logging-disabled]] +=== IIS HTTP Logging Disabled + +Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 33 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating IIS HTTP Logging Disabled + +IIS (Internet Information Services) is a Microsoft web server software used to host websites and web applications on Windows. It provides features for serving dynamic and static content, and can be managed through a graphical interface or command-line tools. + +IIS logging is a data source that can be used for security monitoring, forensics, and incident response. It contains mainly information related to requests done to the web server, and can be used to spot malicious activities like webshells. Adversaries can tamper, clear, and delete this data to evade detection, cover their tracks, and slow down incident response. + +This rule monitors commands that disable IIS logging. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. + - Verify if any other anti-forensics behaviors were observed. +- Verify whether the logs stored in the `C:\inetpub\logs\logfiles\w3svc1` directory were deleted after this action. +- Check if this operation is done under change management and approved according to the organization's policy. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Re-enable affected logging components, services, and security monitoring. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "appcmd.exe" or process.pe.original_file_name == "appcmd.exe") and + process.args : "/dontLog*:*True" and + not process.parent.name : "iissetup.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable Windows Event Logging +** ID: T1562.002 +** Reference URL: https://attack.mitre.org/techniques/T1562/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-imageload-via-windows-update-auto-update-client.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-imageload-via-windows-update-auto-update-client.asciidoc new file mode 100644 index 0000000000..ba37f49381 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-imageload-via-windows-update-auto-update-client.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-8-11-3-imageload-via-windows-update-auto-update-client]] +=== ImageLoad via Windows Update Auto Update Client + +Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://dtm.uk/wuauclt/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.pe.original_file_name == "wuauclt.exe" or process.name : "wuauclt.exe") and + /* necessary windows update client args to load a dll */ + process.args : "/RunHandlerComServer" and process.args : "/UpdateDeploymentProvider" and + /* common paths writeable by a standard user where the target DLL can be placed */ + process.args : ("C:\\Users\\*.dll", "C:\\ProgramData\\*.dll", "C:\\Windows\\Temp\\*.dll", "C:\\Windows\\Tasks\\*.dll") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-ingress-transfer-via-windows-bits.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-ingress-transfer-via-windows-bits.asciidoc new file mode 100644 index 0000000000..04cae7c513 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-ingress-transfer-via-windows-bits.asciidoc @@ -0,0 +1,84 @@ +[[prebuilt-rule-8-11-3-ingress-transfer-via-windows-bits]] +=== Ingress Transfer via Windows BITS + +Identifies downloads of executable and archive files via the Windows Background Intelligent Transfer Service (BITS). Adversaries could leverage Windows BITS transfer jobs to download remote payloads. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://attack.mitre.org/techniques/T1197/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Command and Control +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.action == "rename" and + process.name : "svchost.exe" and file.Ext.original.name : "BIT*.tmp" and + (file.extension : ("exe", "zip", "rar", "bat", "dll", "ps1", "vbs", "wsh", "js", "vbe", "pif", "scr", "cmd", "cpl") or + file.Ext.header_bytes : "4d5a*") and + + /* noisy paths, for hunting purposes you can use the same query without the following exclusions */ + not file.path : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\Windows\\*", "?:\\ProgramData\\*\\*") and + + /* lot of third party SW use BITS to download executables with a long file name */ + not length(file.name) > 30 and + not file.path : ( + "?:\\Users\\*\\AppData\\Local\\Temp*\\wct*.tmp", + "?:\\Users\\*\\AppData\\Local\\Adobe\\ARM\\*\\RdrServicesUpdater*.exe", + "?:\\Users\\*\\AppData\\Local\\Docker Desktop Installer\\update-*.exe" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Ingress Tool Transfer +** ID: T1105 +** Reference URL: https://attack.mitre.org/techniques/T1105/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: BITS Jobs +** ID: T1197 +** Reference URL: https://attack.mitre.org/techniques/T1197/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-installation-of-security-support-provider.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-installation-of-security-support-provider.asciidoc new file mode 100644 index 0000000000..45b26f54f0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-installation-of-security-support-provider.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-8-11-3-installation-of-security-support-provider]] +=== Installation of Security Support Provider + +Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and + registry.path : ( + "HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Security Packages*", + "HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages*", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Security Packages*", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages*" + ) and + not process.executable : ("C:\\Windows\\System32\\msiexec.exe", "C:\\Windows\\SysWOW64\\msiexec.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Security Support Provider +** ID: T1547.005 +** Reference URL: https://attack.mitre.org/techniques/T1547/005/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-interactive-terminal-spawned-via-perl.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-interactive-terminal-spawned-via-perl.asciidoc new file mode 100644 index 0000000000..82d10dad24 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-interactive-terminal-spawned-via-perl.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-8-11-3-interactive-terminal-spawned-via-perl]] +=== Interactive Terminal Spawned via Perl + +Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:perl and + process.args:("exec \"/bin/sh\";" or "exec \"/bin/dash\";" or "exec \"/bin/bash\";") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-interactive-terminal-spawned-via-python.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-interactive-terminal-spawned-via-python.asciidoc new file mode 100644 index 0000000000..d6b14e6fdc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-interactive-terminal-spawned-via-python.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-8-11-3-interactive-terminal-spawned-via-python]] +=== Interactive Terminal Spawned via Python + +Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and +( + (process.parent.name : "python*" and process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", + "fish") and process.parent.args_count >= 3 and process.parent.args : "*pty.spawn*" and process.parent.args : "-c") or + (process.parent.name : "python*" and process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", + "fish") and process.args : "*sh" and process.args_count == 1 and process.parent.args_count == 1) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Python +** ID: T1059.006 +** Reference URL: https://attack.mitre.org/techniques/T1059/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-kerberos-pre-authentication-disabled-for-user.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-kerberos-pre-authentication-disabled-for-user.asciidoc new file mode 100644 index 0000000000..3e3f9ff431 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-kerberos-pre-authentication-disabled-for-user.asciidoc @@ -0,0 +1,129 @@ +[[prebuilt-rule-8-11-3-kerberos-pre-authentication-disabled-for-user]] +=== Kerberos Pre-authentication Disabled for User + +Identifies the modification of an account's Kerberos pre-authentication options. An adversary with GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://harmj0y.medium.com/roasting-as-reps-e6179a65216b +* https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738 +* https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Defense Evasion +* Tactic: Privilege Escalation +* Resources: Investigation Guide +* Use Case: Active Directory Monitoring +* Data Source: Active Directory + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Kerberos Pre-authentication Disabled for User + +Kerberos pre-authentication is an account protection against offline password cracking. When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user’s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user’s password. Microsoft's security monitoring [recommendations](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738) state that `'Don't Require Preauth' – Enabled` should not be enabled for user accounts because it weakens security for the account’s Kerberos authentication. + +AS-REP roasting is an attack against Kerberos for user accounts that do not require pre-authentication, which means that if the target user has pre-authentication disabled, an attacker can request authentication data for it and get a TGT that can be brute-forced offline, similarly to Kerberoasting. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Determine if the target account is sensitive or privileged. +- Inspect the account activities for suspicious or abnormal behaviors in the alert timeframe. + +### False positive analysis + +- Disabling pre-authentication is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positives (B-TPs), especially if the target account is privileged. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Reset the target account's password if there is any risk of TGTs having been retrieved. +- Re-enable the preauthentication option or disable the target account. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.code:4738 and winlog.api:"wineventlog" and message:"'Don't Require Preauth' - Enabled" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal or Forge Kerberos Tickets +** ID: T1558 +** Reference URL: https://attack.mitre.org/techniques/T1558/ +* Sub-technique: +** Name: AS-REP Roasting +** ID: T1558.004 +** Reference URL: https://attack.mitre.org/techniques/T1558/004/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Domain Accounts +** ID: T1078.002 +** Reference URL: https://attack.mitre.org/techniques/T1078/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-kerberos-traffic-from-unusual-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-kerberos-traffic-from-unusual-process.asciidoc new file mode 100644 index 0000000000..4a7282b160 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-kerberos-traffic-from-unusual-process.asciidoc @@ -0,0 +1,168 @@ +[[prebuilt-rule-8-11-3-kerberos-traffic-from-unusual-process]] +=== Kerberos Traffic from Unusual Process + +Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Kerberos Traffic from Unusual Process + +Kerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for client/server applications by using secret-key cryptography. + +Domain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of traffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of Kerberos tickets. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check if the Destination IP is related to a Domain Controller. +- Review event ID 4769 for suspicious ticket requests. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a non-standard port or destination IP address unrelated to Domain controllers can create false positives. +- Exceptions can be added for noisy/frequent connections. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. + - Ticket requests can be used to investigate potentially compromised accounts. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +network where host.os.type == "windows" and event.type == "start" and network.direction == "egress" and + destination.port == 88 and source.port >= 49152 and process.pid != 4 and destination.address : "*" and + not + ( + process.executable : ( + "\\device\\harddiskvolume?\\program files (x86)\\nmap\\nmap.exe", + "\\device\\harddiskvolume?\\program files (x86)\\nmap oem\\nmap.exe", + "\\device\\harddiskvolume?\\windows\\system32\\lsass.exe", + "?:\\Program Files\\Amazon Corretto\\jdk1*\\bin\\java.exe", + "?:\\Program Files\\BlackBerry\\UEM\\Proxy Server\\bin\\prunsrv.exe", + "?:\\Program Files\\BlackBerry\\UEM\\Core\\tomcat-core\\bin\\tomcat9.exe", + "?:\\Program Files\\DBeaver\\dbeaver.exe", + "?:\\Program Files\\Docker\\Docker\\resources\\com.docker.backend.exe", + "?:\\Program Files\\Docker\\Docker\\resources\\com.docker.vpnkit.exe", + "?:\\Program Files\\Docker\\Docker\\resources\\vpnkit.exe", + "?:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Program Files\\Internet Explorer\\iexplore.exe", + "?:\\Program Files\\JetBrains\\PyCharm Community Edition*\\bin\\pycharm64.exe", + "?:\\Program Files\\Mozilla Firefox\\firefox.exe", + "?:\\Program Files\\Oracle\\VirtualBox\\VirtualBoxVM.exe", + "?:\\Program Files\\Puppet Labs\\Puppet\\puppet\\bin\\ruby.exe", + "?:\\Program Files\\rapid7\\nexpose\\nse\\.DLLCACHE\\nseserv.exe", + "?:\\Program Files\\Silverfort\\Silverfort AD Adapter\\SilverfortServer.exe", + "?:\\Program Files\\Tenable\\Nessus\\nessusd.exe", + "?:\\Program Files\\VMware\\VMware View\\Server\\bin\\ws_TomcatService.exe", + "?:\\Program Files (x86)\\Advanced Port Scanner\\advanced_port_scanner.exe", + "?:\\Program Files (x86)\\DesktopCentral_Agent\\bin\\dcpatchscan.exe", + "?:\\Program Files (x86)\\GFI\\LanGuard 12 Agent\\lnsscomm.exe", + "?:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", + "?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "?:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe", + "?:\\Program Files (x86)\\Microsoft Silverlight\\sllauncher.exe", + "?:\\Program Files (x86)\\Nmap\\nmap.exe", + "?:\\Program Files (x86)\\Nmap OEM\\nmap.exe", + "?:\\Program Files (x86)\\nwps\\NetScanTools Pro\\NSTPRO.exe", + "?:\\Program Files (x86)\\SAP BusinessObjects\\tomcat\\bin\\tomcat9.exe", + "?:\\Program Files (x86)\\SuperScan\\scanner.exe", + "?:\\Program Files (x86)\\Zscaler\\ZSATunnel\\ZSATunnel.exe", + "?:\\Windows\\System32\\lsass.exe", + "?:\\Windows\\System32\\MicrosoftEdgeCP.exe", + "?:\\Windows\\System32\\svchost.exe", + "?:\\Windows\\SysWOW64\\vmnat.exe", + "?:\\Windows\\SystemApps\\Microsoft.MicrosoftEdge_*\\MicrosoftEdge.exe", + "System" + ) and process.code_signature.trusted == true + ) and + destination.address != "127.0.0.1" and destination.address != "::1" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal or Forge Kerberos Tickets +** ID: T1558 +** Reference URL: https://attack.mitre.org/techniques/T1558/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-kernel-load-or-unload-via-kexec-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-kernel-load-or-unload-via-kexec-detected.asciidoc new file mode 100644 index 0000000000..ba25323da4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-kernel-load-or-unload-via-kexec-detected.asciidoc @@ -0,0 +1,90 @@ +[[prebuilt-rule-8-11-3-kernel-load-or-unload-via-kexec-detected]] +=== Kernel Load or Unload via Kexec Detected + +This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures, escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to tamper with the system's trusted state, allowing e.g. a VM Escape. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.crowdstrike.com/blog/venom-vulnerability-details/ +* https://www.makeuseof.com/what-is-venom-vulnerability/ +* https://madaidans-insecurities.github.io/guides/linux-hardening.html + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and process.name == "kexec" and +process.args in ("--exec", "-e", "--load", "-l", "--unload", "-u") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Escape to Host +** ID: T1611 +** Reference URL: https://attack.mitre.org/techniques/T1611/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Kernel Modules and Extensions +** ID: T1547.006 +** Reference URL: https://attack.mitre.org/techniques/T1547/006/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify System Image +** ID: T1601 +** Reference URL: https://attack.mitre.org/techniques/T1601/ +* Sub-technique: +** Name: Patch System Image +** ID: T1601.001 +** Reference URL: https://attack.mitre.org/techniques/T1601/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-kernel-module-load-via-insmod.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-kernel-module-load-via-insmod.asciidoc new file mode 100644 index 0000000000..bc67a59746 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-kernel-module-load-via-insmod.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-11-3-kernel-module-load-via-insmod]] +=== Kernel Module Load via insmod + +Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Threat: Rootkit +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and process.name == "insmod" and process.args : "*.ko" +and not process.parent.name in ("cisco-amp-helper", "ksplice-apply") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Kernel Modules and Extensions +** ID: T1547.006 +** Reference URL: https://attack.mitre.org/techniques/T1547/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-kernel-module-removal.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-kernel-module-removal.asciidoc new file mode 100644 index 0000000000..8d50a4339a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-kernel-module-removal.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-8-11-3-kernel-module-removal]] +=== Kernel Module Removal + +Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* http://man7.org/linux/man-pages/man8/modprobe.8.html + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and process.name == "rmmod" or +(process.name == "modprobe" and process.args in ("--remove", "-r")) and +process.parent.name in ("sudo", "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Kernel Modules and Extensions +** ID: T1547.006 +** Reference URL: https://attack.mitre.org/techniques/T1547/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-keychain-password-retrieval-via-command-line.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-keychain-password-retrieval-via-command-line.asciidoc new file mode 100644 index 0000000000..c4d9a9645a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-keychain-password-retrieval-via-command-line.asciidoc @@ -0,0 +1,80 @@ +[[prebuilt-rule-8-11-3-keychain-password-retrieval-via-command-line]] +=== Keychain Password Retrieval via Command Line + +Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.netmeister.org/blog/keychain-passwords.html +* https://github.com/priyankchheda/chrome_password_grabber/blob/master/chrome.py +* https://ss64.com/osx/security.html +* https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type == "start" and + process.name : "security" and process.args : "-wa" and process.args : ("find-generic-password", "find-internet-password") and + process.args : ("Chrome*", "Chromium", "Opera", "Safari*", "Brave", "Microsoft Edge", "Edge", "Firefox*") and + not process.parent.executable : "/Applications/Keeper Password Manager.app/Contents/Frameworks/Keeper Password Manager Helper*/Contents/MacOS/Keeper Password Manager Helper*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Keychain +** ID: T1555.001 +** Reference URL: https://attack.mitre.org/techniques/T1555/001/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Credentials from Web Browsers +** ID: T1555.003 +** Reference URL: https://attack.mitre.org/techniques/T1555/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-krbtgt-delegation-backdoor.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-krbtgt-delegation-backdoor.asciidoc new file mode 100644 index 0000000000..73b386a3a2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-krbtgt-delegation-backdoor.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-8-11-3-krbtgt-delegation-backdoor]] +=== KRBTGT Delegation Backdoor + +Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://skyblue.team/posts/delegate-krbtgt +* https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Use Case: Active Directory Monitoring +* Data Source: Active Directory + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.action:modified-user-account and event.code:4738 and + winlog.event_data.AllowedToDelegateTo:*krbtgt* + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal or Forge Kerberos Tickets +** ID: T1558 +** Reference URL: https://attack.mitre.org/techniques/T1558/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-lateral-movement-via-startup-folder.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-lateral-movement-via-startup-folder.asciidoc new file mode 100644 index 0000000000..80a9f4c908 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-lateral-movement-via-startup-folder.asciidoc @@ -0,0 +1,87 @@ +[[prebuilt-rule-8-11-3-lateral-movement-via-startup-folder]] +=== Lateral Movement via Startup Folder + +Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.mdsec.co.uk/2017/06/rdpinception/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type in ("creation", "change") and + + /* via RDP TSClient mounted share or SMB */ + (process.name : "mstsc.exe" or process.pid == 4) and + + file.path : ("?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", + "?:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: Remote Desktop Protocol +** ID: T1021.001 +** Reference URL: https://attack.mitre.org/techniques/T1021/001/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Registry Run Keys / Startup Folder +** ID: T1547.001 +** Reference URL: https://attack.mitre.org/techniques/T1547/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-linux-group-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-linux-group-creation.asciidoc new file mode 100644 index 0000000000..c9e2db0d36 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-linux-group-creation.asciidoc @@ -0,0 +1,119 @@ +[[prebuilt-rule-8-11-3-linux-group-creation]] +=== Linux Group Creation + +Identifies attempts to create a new group. Attackers may create new groups to establish persistence on a system. + +*Rule type*: eql + +*Rule indices*: + +* logs-system.auth-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Resources: Investigation Guide + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Linux Group Creation + +The `groupadd` and `addgroup` commands are used to create new user groups in Linux-based operating systems. + +Attackers may create new groups to maintain access to victim systems or escalate privileges by assigning a compromised account to a privileged group. + +This rule identifies the usages of `groupadd` and `addgroup` to create new groups. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible investigation steps + +- Investigate whether the group was created succesfully. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific Group","query":"SELECT * FROM groups WHERE groupname = {{group.name}}"}} +- Identify if a user account was added to this group after creation. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific User","query":"SELECT * FROM users WHERE username = {{user.name}}"}} +- Investigate whether the user is currently logged in and active. + - !{osquery{"label":"Osquery - Investigate the Account Authentication Status","query":"SELECT * FROM logged_in_users WHERE user = {{user.name}}"}} +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate other alerts associated with the user/host during the past 48 hours. + +### False positive analysis + +- Group creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Delete the created group and, in case an account was added to this group, delete the account. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +iam where host.os.type == "linux" and (event.type == "group" and event.type == "creation") and +process.name in ("groupadd", "addgroup") and group.name != null + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create Account +** ID: T1136 +** Reference URL: https://attack.mitre.org/techniques/T1136/ +* Sub-technique: +** Name: Local Account +** ID: T1136.001 +** Reference URL: https://attack.mitre.org/techniques/T1136/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-linux-init-pid-1-secret-dump-via-gdb.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-linux-init-pid-1-secret-dump-via-gdb.asciidoc new file mode 100644 index 0000000000..a210812273 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-linux-init-pid-1-secret-dump-via-gdb.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-11-3-linux-init-pid-1-secret-dump-via-gdb]] +=== Linux init (PID 1) Secret Dump via GDB + +This rule monitors for the potential memory dump of the init process (PID 1) through gdb. Attackers may leverage memory dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include "truffleproc" and "bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/controlplaneio/truffleproc +* https://github.com/hajzer/bash-memory-dump + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process.name == "gdb" and process.args in ("--pid", "-p") and process.args == "1" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: Proc Filesystem +** ID: T1003.007 +** Reference URL: https://attack.mitre.org/techniques/T1003/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-linux-restricted-shell-breakout-via-linux-binary-s.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-linux-restricted-shell-breakout-via-linux-binary-s.asciidoc new file mode 100644 index 0000000000..3fe2469669 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-linux-restricted-shell-breakout-via-linux-binary-s.asciidoc @@ -0,0 +1,193 @@ +[[prebuilt-rule-8-11-3-linux-restricted-shell-breakout-via-linux-binary-s]] +=== Linux Restricted Shell Breakout via Linux Binary(s) + +Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://gtfobins.github.io/gtfobins/apt/ +* https://gtfobins.github.io/gtfobins/apt-get/ +* https://gtfobins.github.io/gtfobins/nawk/ +* https://gtfobins.github.io/gtfobins/mawk/ +* https://gtfobins.github.io/gtfobins/awk/ +* https://gtfobins.github.io/gtfobins/gawk/ +* https://gtfobins.github.io/gtfobins/busybox/ +* https://gtfobins.github.io/gtfobins/c89/ +* https://gtfobins.github.io/gtfobins/c99/ +* https://gtfobins.github.io/gtfobins/cpulimit/ +* https://gtfobins.github.io/gtfobins/crash/ +* https://gtfobins.github.io/gtfobins/env/ +* https://gtfobins.github.io/gtfobins/expect/ +* https://gtfobins.github.io/gtfobins/find/ +* https://gtfobins.github.io/gtfobins/flock/ +* https://gtfobins.github.io/gtfobins/gcc/ +* https://gtfobins.github.io/gtfobins/mysql/ +* https://gtfobins.github.io/gtfobins/nice/ +* https://gtfobins.github.io/gtfobins/ssh/ +* https://gtfobins.github.io/gtfobins/vi/ +* https://gtfobins.github.io/gtfobins/vim/ +* https://gtfobins.github.io/gtfobins/capsh/ +* https://gtfobins.github.io/gtfobins/byebug/ +* https://gtfobins.github.io/gtfobins/git/ +* https://gtfobins.github.io/gtfobins/ftp/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 111 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Shell Evasion via Linux Utilities +Detection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or +environments by spawning an interactive system shell. +Here are some possible avenues of investigation: +- Examine the entry point to the host and user in action via the Analyse View. + - Identify the session entry leader and session user +- Examine the contents of session leading to the abuse via the Session View. + - Examine the command execution pattern in the session, which may lead to suspricous activities +- Examine the execution of commands in the spawned shell. + - Identify imment threat to the system from the executed commands + - Take necessary incident response actions to contain any malicious behviour caused via this execution. + +### Related rules + +- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences. +- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment + +### Response and remediation + +Initiate the incident response process based on the outcome of the triage. + +- If the triage releaved suspicious netwrok activity from the malicious spawned shell, + - Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware execution via the maliciously spawned shell, + - Search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- If the triage revelaed defence evasion for imparing defenses + - Isolate the involved host to prevent further post-compromise behavior. + - Identified the disabled security guard components on the host and take necessary steps in renebaling the same. + - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same. +- If the triage revelaed addition of persistence mechanism exploit like auto start scripts + - Isolate further login to the systems that can initae auto start scripts. + - Identify the auto start scripts and disable and remove the same from the systems +- If the triage revealed data crawling or data export via remote copy + - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling + - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials. + - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and +( + /* launching shell from capsh */ + (process.name == "capsh" and process.args == "--") or + + /* launching shells from unusual parents or parent+arg combos */ + (process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and ( + (process.parent.name : "*awk" and process.parent.args : "BEGIN {system(*)}") or + (process.parent.name == "git" and process.parent.args : ("*PAGER*", "!*sh", "exec *sh") or + process.args : ("*PAGER*", "!*sh", "exec *sh") and not process.name == "ssh" ) or + (process.parent.name : ("byebug", "ftp", "strace", "zip", "tar") and + ( + process.parent.args : "BEGIN {system(*)}" or + (process.parent.args : ("*PAGER*", "!*sh", "exec *sh") or process.args : ("*PAGER*", "!*sh", "exec *sh")) or + ( + (process.parent.args : "exec=*sh" or (process.parent.args : "-I" and process.parent.args : "*sh")) or + (process.args : "exec=*sh" or (process.args : "-I" and process.args : "*sh")) + ) + ) + ) or + + /* shells specified in parent args */ + /* nice rule is broken in 8.2 */ + (process.parent.args : "*sh" and + ( + (process.parent.name == "nice") or + (process.parent.name == "cpulimit" and process.parent.args == "-f") or + (process.parent.name == "find" and process.parent.args == "." and process.parent.args == "-exec" and + process.parent.args == ";" and process.parent.args : "/bin/*sh") or + (process.parent.name == "flock" and process.parent.args == "-u" and process.parent.args == "/") + ) + ) + )) or + + /* shells specified in args */ + (process.args : "*sh" and ( + (process.parent.name == "crash" and process.parent.args == "-h") or + (process.name == "sensible-pager" and process.parent.name in ("apt", "apt-get") and process.parent.args == "changelog") + /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */ + + )) or + (process.name == "busybox" and event.action == "exec" and process.args_count == 2 and process.args : "*sh" and not + process.executable : "/var/lib/docker/overlay2/*/merged/bin/busybox" and not (process.parent.args == "init" and + process.parent.args == "runc") and not process.parent.args in ("ls-remote", "push", "fetch") and not process.parent.name == "mkinitramfs") or + (process.name == "env" and process.args_count == 2 and process.args : "*sh") or + (process.parent.name in ("vi", "vim") and process.parent.args == "-c" and process.parent.args : ":!*sh") or + (process.parent.name in ("c89", "c99", "gcc") and process.parent.args : "*sh,-s" and process.parent.args == "-wrapper") or + (process.parent.name == "expect" and process.parent.args == "-c" and process.parent.args : "spawn *sh;interact") or + (process.parent.name == "mysql" and process.parent.args == "-e" and process.parent.args : "\\!*sh") or + (process.parent.name == "ssh" and process.parent.args == "-o" and process.parent.args : "ProxyCommand=;*sh 0<&2 1>&2") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-linux-user-account-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-linux-user-account-creation.asciidoc new file mode 100644 index 0000000000..25aabf9353 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-linux-user-account-creation.asciidoc @@ -0,0 +1,118 @@ +[[prebuilt-rule-8-11-3-linux-user-account-creation]] +=== Linux User Account Creation + +Identifies attempts to create new users. Attackers may add new users to establish persistence on a system. + +*Rule type*: eql + +*Rule indices*: + +* logs-system.auth-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Resources: Investigation Guide + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Linux User Account Creation + +The `useradd` and `adduser` commands are used to create new user accounts in Linux-based operating systems. + +Attackers may create new accounts (both local and domain) to maintain access to victim systems. + +This rule identifies the usage of `useradd` and `adduser` to create new accounts. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible investigation steps + +- Investigate whether the user was created succesfully. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific User","query":"SELECT * FROM users WHERE username = {{user.name}}"}} +- Investigate whether the user is currently logged in and active. + - !{osquery{"label":"Osquery - Investigate the Account Authentication Status","query":"SELECT * FROM logged_in_users WHERE user = {{user.name}}"}} +- Identify if the account was added to privileged groups or assigned special privileges after creation. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific Group","query":"SELECT * FROM groups WHERE groupname = {{group.name}}"}} +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate other alerts associated with the user/host during the past 48 hours. + +### False positive analysis + +- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Delete the created account. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +iam where host.os.type == "linux" and (event.type == "user" and event.type == "creation") and +process.name in ("useradd", "adduser") and user.name != null + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create Account +** ID: T1136 +** Reference URL: https://attack.mitre.org/techniques/T1136/ +* Sub-technique: +** Name: Local Account +** ID: T1136.001 +** Reference URL: https://attack.mitre.org/techniques/T1136/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-linux-user-added-to-privileged-group.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-linux-user-added-to-privileged-group.asciidoc new file mode 100644 index 0000000000..3db97caffd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-linux-user-added-to-privileged-group.asciidoc @@ -0,0 +1,128 @@ +[[prebuilt-rule-8-11-3-linux-user-added-to-privileged-group]] +=== Linux User Added to Privileged Group + +Identifies attempts to add a user to a privileged group. Attackers may add users to a privileged group in order to establish persistence on a system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Linux User User Added to Privileged Group + +The `usermod`, `adduser`, and `gpasswd` commands can be used to assign user accounts to new groups in Linux-based operating systems. + +Attackers may add users to a privileged group in order to escalate privileges or establish persistence on a system or domain. + +This rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign user accounts to a privileged group. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible investigation steps + +- Investigate whether the user was succesfully added to the privileged group. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific User","query":"SELECT * FROM users WHERE username = {{user.name}}"}} +- Investigate whether the user is currently logged in and active. + - !{osquery{"label":"Osquery - Investigate the Account Authentication Status","query":"SELECT * FROM logged_in_users WHERE user = {{user.name}}"}} +- Retrieve information about the privileged group to which the user was added. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific Group","query":"SELECT * FROM groups WHERE groupname = {{group.name}}"}} +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. + +### False positive analysis + +- Adding accounts to a group is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Delete the account that seems to be involved in malicious activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and +process.parent.name == "sudo" and +process.args in ("root", "admin", "wheel", "staff", "sudo", + "disk", "video", "shadow", "lxc", "lxd") and +( + process.name in ("usermod", "adduser") or + process.name == "gpasswd" and + process.args in ("-a", "--add", "-M", "--members") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create Account +** ID: T1136 +** Reference URL: https://attack.mitre.org/techniques/T1136/ +* Sub-technique: +** Name: Local Account +** ID: T1136.001 +** Reference URL: https://attack.mitre.org/techniques/T1136/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-lsass-memory-dump-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-lsass-memory-dump-creation.asciidoc new file mode 100644 index 0000000000..2c702538dd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-lsass-memory-dump-creation.asciidoc @@ -0,0 +1,151 @@ +[[prebuilt-rule-8-11-3-lsass-memory-dump-creation]] +=== LSASS Memory Dump Creation + +Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/outflanknl/Dumpert +* https://github.com/hoangprod/AndrewSpecial + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating LSASS Memory Dump Creation + +Local Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. + +This rule looks for the creation of memory dump files with file names compatible with credential dumping tools or that start with `lsass`. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Identify the process responsible for creating the dump file. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.action != "deletion" and + file.name : ("lsass*.dmp", "dumpert.dmp", "Andrew.dmp", "SQLDmpr*.mdmp", "Coredump.dmp") and + + not ( + process.executable : ( + "?:\\Program Files\\Microsoft SQL Server\\*\\Shared\\SqlDumper.exe", + "?:\\Windows\\System32\\dllhost.exe" + ) and + file.path : ( + "?:\\*\\Reporting Services\\Logfiles\\SQLDmpr*.mdmp", + "?:\\Program Files\\Microsoft SQL Server\\*\\Shared\\ErrorDumps\\SQLDmpr*.mdmp", + "?:\\Program Files\\Microsoft SQL Server\\*\\MSSQL\\LOG\\SQLDmpr*.mdmp" + ) + ) and + + not ( + process.executable : "?:\\Windows\\system32\\WerFault.exe" and + file.path : ( + "?:\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\CrashDumps\\lsass.exe.*.dmp", + "?:\\Windows\\System32\\%LOCALAPPDATA%\\CrashDumps\\lsass.exe.*.dmp" + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-lsass-memory-dump-handle-access.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-lsass-memory-dump-handle-access.asciidoc new file mode 100644 index 0000000000..dd004b2fa1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-lsass-memory-dump-handle-access.asciidoc @@ -0,0 +1,155 @@ +[[prebuilt-rule-8-11-3-lsass-memory-dump-handle-access]] +=== LSASS Memory Dump Handle Access + +Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656 +* https://twitter.com/jsecurity101/status/1227987828534956033?s=20 +* https://attack.mitre.org/techniques/T1003/001/ +* https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html +* http://findingbad.blogspot.com/2017/ +* https://www.elastic.co/security-labs/detect-credential-access + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Resources: Investigation Guide + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating LSASS Memory Dump Handle Access + +Local Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. + +Adversaries may attempt to access credential material stored in LSASS process memory. After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn’t prompted each time resource access is requested. These credential materials can be harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using [alternate authentication material](https://attack.mitre.org/techniques/T1550/). + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + +### False positive analysis + +- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions. +- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on the correct path and signed with the company's valid digital signature. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Scope compromised credentials and disable the accounts. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +any where event.action == "File System" and event.code == "4656" and + + winlog.event_data.ObjectName : ( + "?:\\Windows\\System32\\lsass.exe", + "\\Device\\HarddiskVolume?\\Windows\\System32\\lsass.exe", + "\\Device\\HarddiskVolume??\\Windows\\System32\\lsass.exe") and + + /* The right to perform an operation controlled by an extended access right. */ + + (winlog.event_data.AccessMask : ("0x1fffff" , "0x1010", "0x120089", "0x1F3FFF") or + winlog.event_data.AccessMaskDescription : ("READ_CONTROL", "Read from process memory")) + + /* Common Noisy False Positives */ + + and not winlog.event_data.ProcessName : ( + "?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Windows\\system32\\wbem\\WmiPrvSE.exe", + "?:\\Windows\\System32\\dllhost.exe", + "?:\\Windows\\System32\\svchost.exe", + "?:\\Windows\\System32\\msiexec.exe", + "?:\\ProgramData\\Microsoft\\Windows Defender\\*.exe", + "?:\\Windows\\explorer.exe", + "?:\\Windows\\System32\\poqexec.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-lsass-process-access-via-windows-api.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-lsass-process-access-via-windows-api.asciidoc new file mode 100644 index 0000000000..10d90cc6f8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-lsass-process-access-via-windows-api.asciidoc @@ -0,0 +1,116 @@ +[[prebuilt-rule-8-11-3-lsass-process-access-via-windows-api]] +=== LSASS Process Access via Windows API + +Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +api where host.os.type == "windows" and + process.Ext.api.name in ("OpenProcess", "OpenThread") and Target.process.name : "lsass.exe" and + not + ( + process.executable : ( + "?:\\ProgramData\\GetSupportService*\\Updates\\Update_*.exe", + "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe", + "?:\\Program Files (x86)\\Asiainfo Security\\OfficeScan Client\\NTRTScan.exe", + "?:\\Program Files (x86)\\Blackpoint\\SnapAgent\\SnapAgent.exe", + "?:\\Program Files (x86)\\eScan\\reload.exe", + "?:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe", + "?:\\Program Files (x86)\\Kaspersky Lab\\*\\avp.exe", + "?:\\Program Files (x86)\\N-able Technologies\\Reactive\\bin\\NableReactiveManagement.exe", + "?:\\Program Files (x86)\\N-able Technologies\\Windows Agent\\bin\\agent.exe", + "?:\\Program Files (x86)\\Trend Micro\\*\\CCSF\\TmCCSF.exe", + "?:\\Program Files*\\Windows Defender\\MsMpEng.exe", + "?:\\Program Files\\Bitdefender\\Endpoint Security\\EPSecurityService.exe", + "?:\\Program Files\\Cisco\\AMP\\*\\sfc.exe", + "?:\\Program Files\\Common Files\\McAfee\\AVSolution\\mcshield.exe", + "?:\\Program Files\\EA\\AC\\EAAntiCheat.GameService.exe", + "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\metricbeat.exe", + "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\osqueryd.exe", + "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\packetbeat.exe", + "?:\\Program Files\\ESET\\ESET Security\\ekrn.exe", + "?:\\Program Files\\Fortinet\\FortiClient\\FortiProxy.exe", + "?:\\Program Files\\Huntress\\HuntressAgent.exe", + "?:\\Program Files\\LogicMonitor\\Agent\\bin\\sbshutdown.exe", + "?:\\Program Files\\Microsoft Security Client\\MsMpEng.exe", + "?:\\Program Files\\Qualys\\QualysAgent\\QualysAgent.exe", + "?:\\Program Files\\TDAgent\\ossec-agent\\ossec-agent.exe", + "?:\\Program Files\\Topaz OFD\\Warsaw\\core.exe", + "?:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "?:\\Windows\\AdminArsenal\\PDQDeployRunner\\*\\exec\\Sysmon64.exe", + "?:\\Windows\\Sysmon.exe", + "?:\\Windows\\Sysmon64.exe", + "?:\\Windows\\System32\\csrss.exe", + "?:\\Windows\\System32\\MRT.exe", + "?:\\Windows\\System32\\msiexec.exe", + "?:\\Windows\\System32\\RtkAudUService64.exe", + "?:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "?:\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe" + ) and process.code_signature.trusted == true + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-masquerading-space-after-filename.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-masquerading-space-after-filename.asciidoc new file mode 100644 index 0000000000..d3432eed10 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-masquerading-space-after-filename.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-8-11-3-masquerading-space-after-filename]] +=== Masquerading Space After Filename + +This rules identifies a process created from an executable with a space appended to the end of the filename. This may indicate an attempt to masquerade a malicious file as benign to gain user execution. When a space is added to the end of certain files, the OS will execute the file according to it's true filetype instead of it's extension. Adversaries can hide a program's true filetype by changing the extension of the file. They can then add a space to the end of the name so that the OS automatically executes the file when it's double-clicked. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1036-masquerading + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type:("linux","macos") and + event.type == "start" and + (process.executable regex~ """/[a-z0-9\s_\-\\./]+\s""") and not + process.name in ("ls", "find", "grep", "xkbcomp") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Space after Filename +** ID: T1036.006 +** Reference URL: https://attack.mitre.org/techniques/T1036/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-build-engine-started-an-unusual-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-build-engine-started-an-unusual-process.asciidoc new file mode 100644 index 0000000000..0937a032f3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-build-engine-started-an-unusual-process.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-8-11-3-microsoft-build-engine-started-an-unusual-process]] +=== Microsoft Build Engine Started an Unusual Process + +An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine. + +*Rule type*: new_terms + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 208 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:windows and event.category:process and event.type:start and process.parent.name:"MSBuild.exe" and +process.name.caseless:("csc.exe" or "iexplore.exe" or "powershell.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Obfuscated Files or Information +** ID: T1027 +** Reference URL: https://attack.mitre.org/techniques/T1027/ +* Sub-technique: +** Name: Compile After Delivery +** ID: T1027.004 +** Reference URL: https://attack.mitre.org/techniques/T1027/004/ +* Technique: +** Name: Trusted Developer Utilities Proxy Execution +** ID: T1127 +** Reference URL: https://attack.mitre.org/techniques/T1127/ +* Sub-technique: +** Name: MSBuild +** ID: T1127.001 +** Reference URL: https://attack.mitre.org/techniques/T1127/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-build-engine-started-by-a-script-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-build-engine-started-by-a-script-process.asciidoc new file mode 100644 index 0000000000..53cff8d750 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-build-engine-started-by-a-script-process.asciidoc @@ -0,0 +1,89 @@ +[[prebuilt-rule-8-11-3-microsoft-build-engine-started-by-a-script-process]] +=== Microsoft Build Engine Started by a Script Process + +An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads. + +*Rule type*: new_terms + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 207 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:windows and event.category:process and event.type:start and ( + process.name.caseless:"msbuild.exe" or process.pe.original_file_name:"MSBuild.exe") and + process.parent.name:("cmd.exe" or "powershell.exe" or "pwsh.exe" or "powershell_ise.exe" or "cscript.exe" or + "wscript.exe" or "mshta.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Trusted Developer Utilities Proxy Execution +** ID: T1127 +** Reference URL: https://attack.mitre.org/techniques/T1127/ +* Sub-technique: +** Name: MSBuild +** ID: T1127.001 +** Reference URL: https://attack.mitre.org/techniques/T1127/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ +* Sub-technique: +** Name: Visual Basic +** ID: T1059.005 +** Reference URL: https://attack.mitre.org/techniques/T1059/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-build-engine-started-by-a-system-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-build-engine-started-by-a-system-process.asciidoc new file mode 100644 index 0000000000..412521c46b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-build-engine-started-by-a-system-process.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-8-11-3-microsoft-build-engine-started-by-a-system-process]] +=== Microsoft Build Engine Started by a System Process + +An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.name : "MSBuild.exe" and + process.parent.name : ("explorer.exe", "wmiprvse.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Trusted Developer Utilities Proxy Execution +** ID: T1127 +** Reference URL: https://attack.mitre.org/techniques/T1127/ +* Sub-technique: +** Name: MSBuild +** ID: T1127.001 +** Reference URL: https://attack.mitre.org/techniques/T1127/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-build-engine-started-by-an-office-application.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-build-engine-started-by-an-office-application.asciidoc new file mode 100644 index 0000000000..156611421a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-build-engine-started-by-an-office-application.asciidoc @@ -0,0 +1,142 @@ +[[prebuilt-rule-8-11-3-microsoft-build-engine-started-by-an-office-application]] +=== Microsoft Build Engine Started by an Office Application + +An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Microsoft Build Engine Started by an Office Application + +Microsoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of. + +The Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code. + +This rule looks for the `Msbuild.exe` utility spawned by MS Office programs. This is generally the result of the execution of malicious documents. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client. +- Determine if the collected files are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. + - If the malicious file was delivered via phishing: + - Block the email sender from sending future emails. + - Block the malicious web pages. + - Remove emails from the sender from mailboxes. + - Consider improvements to the security awareness program. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.name : "MSBuild.exe" and + process.parent.name : ("eqnedt32.exe", + "excel.exe", + "fltldr.exe", + "msaccess.exe", + "mspub.exe", + "outlook.exe", + "powerpnt.exe", + "winword.exe" ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Trusted Developer Utilities Proxy Execution +** ID: T1127 +** Reference URL: https://attack.mitre.org/techniques/T1127/ +* Sub-technique: +** Name: MSBuild +** ID: T1127.001 +** Reference URL: https://attack.mitre.org/techniques/T1127/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-build-engine-using-an-alternate-name.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-build-engine-using-an-alternate-name.asciidoc new file mode 100644 index 0000000000..888f2d2505 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-build-engine-using-an-alternate-name.asciidoc @@ -0,0 +1,137 @@ +[[prebuilt-rule-8-11-3-microsoft-build-engine-using-an-alternate-name]] +=== Microsoft Build Engine Using an Alternate Name + +An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 110 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Microsoft Build Engine Using an Alternate Name + +The OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections. + +The Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code. + +This rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.pe.original_file_name == "MSBuild.exe" and + not process.name : "MSBuild.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Rename System Utilities +** ID: T1036.003 +** Reference URL: https://attack.mitre.org/techniques/T1036/003/ +* Technique: +** Name: Trusted Developer Utilities Proxy Execution +** ID: T1127 +** Reference URL: https://attack.mitre.org/techniques/T1127/ +* Sub-technique: +** Name: MSBuild +** ID: T1127.001 +** Reference URL: https://attack.mitre.org/techniques/T1127/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-exchange-server-um-spawning-suspicious-processes.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-exchange-server-um-spawning-suspicious-processes.asciidoc new file mode 100644 index 0000000000..433ac78f82 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-exchange-server-um-spawning-suspicious-processes.asciidoc @@ -0,0 +1,84 @@ +[[prebuilt-rule-8-11-3-microsoft-exchange-server-um-spawning-suspicious-processes]] +=== Microsoft Exchange Server UM Spawning Suspicious Processes + +Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers +* https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Lateral Movement +* Data Source: Elastic Endgame +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : ("UMService.exe", "UMWorkerProcess.exe") and + not process.executable : + ("?:\\Windows\\System32\\werfault.exe", + "?:\\Windows\\System32\\wermgr.exe", + "?:\\Program Files\\Microsoft\\Exchange Server\\V??\\Bin\\UMWorkerProcess.exe", + "D:\\Exchange 2016\\Bin\\UMWorkerProcess.exe", + "E:\\ExchangeServer\\Bin\\UMWorkerProcess.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Exploit Public-Facing Application +** ID: T1190 +** Reference URL: https://attack.mitre.org/techniques/T1190/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-exchange-server-um-writing-suspicious-files.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-exchange-server-um-writing-suspicious-files.asciidoc new file mode 100644 index 0000000000..abfcadf215 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-exchange-server-um-writing-suspicious-files.asciidoc @@ -0,0 +1,107 @@ +[[prebuilt-rule-8-11-3-microsoft-exchange-server-um-writing-suspicious-files]] +=== Microsoft Exchange Server UM Writing Suspicious Files + +Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers +* https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Lateral Movement +* Data Source: Elastic Endgame +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +Positive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines). + +Microsoft highly recommends that the best course of action is patching, but this may not protect already compromised systems +from existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support +[repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security) + + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type == "creation" and + process.name : ("UMWorkerProcess.exe", "umservice.exe") and + file.extension : ("php", "jsp", "js", "aspx", "asmx", "asax", "cfm", "shtml") and + ( + file.path : "?:\\inetpub\\wwwroot\\aspnet_client\\*" or + + (file.path : "?:\\*\\Microsoft\\Exchange Server*\\FrontEnd\\HttpProxy\\owa\\auth\\*" and + not (file.path : "?:\\*\\Microsoft\\Exchange Server*\\FrontEnd\\HttpProxy\\owa\\auth\\version\\*" or + file.name : ("errorFE.aspx", "expiredpassword.aspx", "frowny.aspx", "GetIdToken.htm", "logoff.aspx", + "logon.aspx", "OutlookCN.aspx", "RedirSuiteServiceProxy.aspx", "signout.aspx"))) or + + (file.path : "?:\\*\\Microsoft\\Exchange Server*\\FrontEnd\\HttpProxy\\ecp\\auth\\*" and + not file.name : "TimeoutLogoff.aspx") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Exploit Public-Facing Application +** ID: T1190 +** Reference URL: https://attack.mitre.org/techniques/T1190/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-exchange-worker-spawning-suspicious-processes.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-exchange-worker-spawning-suspicious-processes.asciidoc new file mode 100644 index 0000000000..1d74e6e55d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-exchange-worker-spawning-suspicious-processes.asciidoc @@ -0,0 +1,87 @@ +[[prebuilt-rule-8-11-3-microsoft-exchange-worker-spawning-suspicious-processes]] +=== Microsoft Exchange Worker Spawning Suspicious Processes + +Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers +* https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities +* https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "w3wp.exe" and process.parent.args : "MSExchange*AppPool" and + (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") or + process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Exploit Public-Facing Application +** ID: T1190 +** Reference URL: https://attack.mitre.org/techniques/T1190/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-iis-connection-strings-decryption.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-iis-connection-strings-decryption.asciidoc new file mode 100644 index 0000000000..83d7baf8ca --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-iis-connection-strings-decryption.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-11-3-microsoft-iis-connection-strings-decryption]] +=== Microsoft IIS Connection Strings Decryption + +Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 33 + +*References*: + +* https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/ +* https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "aspnet_regiis.exe" or process.pe.original_file_name == "aspnet_regiis.exe") and + process.args : "connectionStrings" and process.args : "-pdf" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-iis-service-account-password-dumped.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-iis-service-account-password-dumped.asciidoc new file mode 100644 index 0000000000..57b3e3bc1b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-iis-service-account-password-dumped.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-11-3-microsoft-iis-service-account-password-dumped]] +=== Microsoft IIS Service Account Password Dumped + +Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 33 + +*References*: + +* https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "appcmd.exe" or process.pe.original_file_name == "appcmd.exe") and + process.args : "/list" and process.args : "/text*password" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-windows-defender-tampering.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-windows-defender-tampering.asciidoc new file mode 100644 index 0000000000..39c8eb2fcc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-microsoft-windows-defender-tampering.asciidoc @@ -0,0 +1,148 @@ +[[prebuilt-rule-8-11-3-microsoft-windows-defender-tampering]] +=== Microsoft Windows Defender Tampering + +Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ +* https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html +* https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html +* https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html +* https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html +* https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html +* https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html +* https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Microsoft Windows Defender Tampering + +Microsoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks. + +This rule monitors the registry for modifications that disable Windows Defender features. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Examine which features have been disabled, and check if this operation is done under change management and approved according to the organization's policy. + +### False positive analysis + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed. + +### Related rules + +- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb +- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Take actions to restore the appropriate Windows Defender antivirus configurations. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Review the privileges assigned to the user to ensure that the least privilege principle is being followed. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and event.type in ("creation", "change") and + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\PUAProtection" and + registry.data.strings : ("0", "0x00000000")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\App and Browser protection\\DisallowExploitProtectionOverride" and + registry.data.strings : ("0", "0x00000000")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware" and + registry.data.strings : ("1", "0x00000001")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Features\\TamperProtection" and + registry.data.strings : ("0", "0x00000000")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableRealtimeMonitoring" and + registry.data.strings : ("1", "0x00000001")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableIntrusionPreventionSystem" and + registry.data.strings : ("1", "0x00000001")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableScriptScanning" and + registry.data.strings : ("1", "0x00000001")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\Controlled Folder Access\\EnableControlledFolderAccess" and + registry.data.strings : ("0", "0x00000000")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableIOAVProtection" and + registry.data.strings : ("1", "0x00000001")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Reporting\\DisableEnhancedNotifications" and + registry.data.strings : ("1", "0x00000001")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\SpyNet\\DisableBlockAtFirstSeen" and + registry.data.strings : ("1", "0x00000001")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\SpyNet\\SpynetReporting" and + registry.data.strings : ("0", "0x00000000")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\SpyNet\\SubmitSamplesConsent" and + registry.data.strings : ("0", "0x00000000")) or + (registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableBehaviorMonitoring" and + registry.data.strings : ("1", "0x00000001")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-mimikatz-memssp-log-file-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-mimikatz-memssp-log-file-detected.asciidoc new file mode 100644 index 0000000000..523187eccd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-mimikatz-memssp-log-file-detected.asciidoc @@ -0,0 +1,115 @@ +[[prebuilt-rule-8-11-3-mimikatz-memssp-log-file-detected]] +=== Mimikatz Memssp Log File Detected + +Identifies the password log file from the default Mimikatz memssp module. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/security-labs/detect-credential-access + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Mimikatz Memssp Log File Detected + +[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to laterally move and pivot across a network. + +This rule looks for the creation of a file named `mimilsa.log`, which is generated when using the Mimikatz misc::memssp module, which injects a malicious Windows SSP to collect locally authenticated credentials, which includes the computer account password, running service credentials, and any accounts that logon. + +#### Possible investigation steps + +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host. +- Retrieve and inspect the log file contents. +- Search for DLL files created in the same location as the log file, and retrieve unsigned DLLs. + - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of these files. + - Search for the existence of these files in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + - Identify the process that created the DLL using file creation events. + +### False positive analysis + +- This file name `mimilsa.log` should not legitimately be created. + +### Related rules + +- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the host is a Domain Controller (DC): + - Activate your incident response plan for total Active Directory compromise. + - Review the privileges assigned to users that can access the DCs to ensure that the least privilege principle is being followed and reduce the attack surface. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Reboot the host to remove the injected SSP from memory. +- Reimage the host operating system or restore compromised files to clean versions. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and file.name : "mimilsa.log" and process.name : "lsass.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-modification-of-amsienable-registry-key.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-modification-of-amsienable-registry-key.asciidoc new file mode 100644 index 0000000000..ed9c5e9daa --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-modification-of-amsienable-registry-key.asciidoc @@ -0,0 +1,139 @@ +[[prebuilt-rule-8-11-3-modification-of-amsienable-registry-key]] +=== Modification of AmsiEnable Registry Key + +Identifies modifications of the AmsiEnable registry key to 0, which disables the Antimalware Scan Interface (AMSI). An adversary can modify this key to disable AMSI protections. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf +* https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Modification of AmsiEnable Registry Key + +The Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell. + +Since AMSI is widely used across security products for increased visibility, attackers can disable it to evade detections that rely on it. + +This rule monitors the modifications to the Software\Microsoft\Windows Script\Settings\AmsiEnable registry key. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate the execution of scripts and macros after the registry modification. +- Retrieve scripts or Microsoft Office files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Use process name, command line, and file hash to search for occurrences on other hosts. + +### False positive analysis + +- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections. + +### Related rules + +- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Delete or set the key to its default value. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and event.type in ("creation", "change") and + registry.path : ( + "HKEY_USERS\\*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable", + "HKU\\*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable", + "\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable" + ) and + registry.data.strings: ("0", "0x00000000") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-modification-of-boot-configuration.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-modification-of-boot-configuration.asciidoc new file mode 100644 index 0000000000..05e61385ab --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-modification-of-boot-configuration.asciidoc @@ -0,0 +1,116 @@ +[[prebuilt-rule-8-11-3-modification-of-boot-configuration]] +=== Modification of Boot Configuration + +Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Impact +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Modification of Boot Configuration + +Boot entry parameters, or boot parameters, are optional, system-specific settings that represent configuration options. These are stored in a boot configuration data (BCD) store, and administrators can use utilities like `bcdedit.exe` to configure these. + +This rule identifies the usage of `bcdedit.exe` to: + +- Disable Windows Error Recovery (recoveryenabled). +- Ignore errors if there is a failed boot, failed shutdown, or failed checkpoint (bootstatuspolicy ignoreallfailures). + +These are common steps in destructive attacks by adversaries leveraging ransomware. + +#### Possible investigation steps + +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Check if any files on the host machine have been encrypted. + +### False positive analysis + +- The usage of these options is not inherently malicious. Administrators can modify these configurations to force a machine to boot for troubleshooting or data recovery purposes. + +### Related rules + +- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "bcdedit.exe" or process.pe.original_file_name == "bcdedit.exe") and + ( + (process.args : "/set" and process.args : "bootstatuspolicy" and process.args : "ignoreallfailures") or + (process.args : "no" and process.args : "recoveryenabled") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Inhibit System Recovery +** ID: T1490 +** Reference URL: https://attack.mitre.org/techniques/T1490/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-modification-of-dynamic-linker-preload-shared-object.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-modification-of-dynamic-linker-preload-shared-object.asciidoc new file mode 100644 index 0000000000..35952360a7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-modification-of-dynamic-linker-preload-shared-object.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-11-3-modification-of-dynamic-linker-preload-shared-object]] +=== Modification of Dynamic Linker Preload Shared Object + +Identifies modification of the dynamic linker preload shared object (ld.so.preload). Adversaries may execute malicious payloads by hijacking the dynamic linker used to load libraries. + +*Rule type*: new_terms + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 208 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:linux and event.category:file and event.action:(updated or renamed or rename) and +not event.type:deletion and file.path:/etc/ld.so.preload + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Dynamic Linker Hijacking +** ID: T1574.006 +** Reference URL: https://attack.mitre.org/techniques/T1574/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-modification-of-openssh-binaries.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-modification-of-openssh-binaries.asciidoc new file mode 100644 index 0000000000..71773710c2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-modification-of-openssh-binaries.asciidoc @@ -0,0 +1,101 @@ +[[prebuilt-rule-8-11-3-modification-of-openssh-binaries]] +=== Modification of OpenSSH Binaries + +Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Persistence +* Tactic: Lateral Movement +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and host.os.type:linux and event.type:change and + process.name:(* and not (dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron)) and + (file.path:(/usr/bin/scp or + /usr/bin/sftp or + /usr/bin/ssh or + /usr/sbin/sshd) or + file.name:libkeyutils.so) and + not process.executable:/usr/share/elasticsearch/* + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Modify Authentication Process +** ID: T1556 +** Reference URL: https://attack.mitre.org/techniques/T1556/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SSH +** ID: T1021.004 +** Reference URL: https://attack.mitre.org/techniques/T1021/004/ +* Technique: +** Name: Remote Service Session Hijacking +** ID: T1563 +** Reference URL: https://attack.mitre.org/techniques/T1563/ +* Sub-technique: +** Name: SSH Hijacking +** ID: T1563.001 +** Reference URL: https://attack.mitre.org/techniques/T1563/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-modification-of-the-mspkiaccountcredentials.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-modification-of-the-mspkiaccountcredentials.asciidoc new file mode 100644 index 0000000000..1916c0938a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-modification-of-the-mspkiaccountcredentials.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-11-3-modification-of-the-mspkiaccountcredentials]] +=== Modification of the msPKIAccountCredentials + +Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming +* https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx +* https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Data Source: Active Directory +* Tactic: Privilege Escalation +* Use Case: Active Directory Monitoring + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.action:"Directory Service Changes" and event.code:"5136" and + winlog.event_data.AttributeLDAPDisplayName:"msPKIAccountCredentials" and winlog.event_data.OperationType:"%%14674" and + not winlog.event_data.SubjectUserSid : "S-1-5-18" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-modification-of-wdigest-security-provider.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-modification-of-wdigest-security-provider.asciidoc new file mode 100644 index 0000000000..7b14edc894 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-modification-of-wdigest-security-provider.asciidoc @@ -0,0 +1,129 @@ +[[prebuilt-rule-8-11-3-modification-of-wdigest-security-provider]] +=== Modification of WDigest Security Provider + +Identifies attempts to modify the WDigest security provider in the registry to force the user's password to be stored in clear text in memory. This behavior can be indicative of an adversary attempting to weaken the security configuration of an endpoint. Once the UseLogonCredential value is modified, the adversary may attempt to dump clear text passwords from memory. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html +* https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019 +* https://frsecure.com/compromised-credentials-response-playbook +* https://www.elastic.co/security-labs/detect-credential-access + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Modification of WDigest Security Provider + +In Windows XP, Microsoft added support for a protocol known as WDigest. The WDigest protocol allows clients to send cleartext credentials to Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) applications based on RFC 2617 and 2831. Windows versions up to 8 and 2012 store logon credentials in memory in plaintext by default, which is no longer the case with newer Windows versions. + +Still, attackers can force WDigest to store the passwords insecurely on the memory by modifying the `HKLM\SYSTEM\*ControlSet*\Control\SecurityProviders\WDigest\UseLogonCredential` registry key. This activity is commonly related to the execution of credential dumping tools. + +#### Possible investigation steps + +- It is unlikely that the monitored registry key was modified legitimately in newer versions of Windows. Analysts should treat any activity triggered from this rule with high priority as it typically represents an active adversary. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Determine if credential dumping tools were run on the host, and retrieve and analyze suspicious executables: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Use process name, command line, and file hash to search for occurrences on other hosts. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team, as these modifications expose the entire domain to credential compromises and consequently unauthorized access. + +### Related rules + +- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Reimage the host operating system and restore compromised files to clean versions. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and event.type : ("creation", "change") and + registry.path : ( + "HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential" + ) and registry.data.strings : ("1", "0x00000001") and + not (process.executable : "?:\\Windows\\System32\\svchost.exe" and user.id : "S-1-5-18") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-mounting-hidden-or-webdav-remote-shares.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-mounting-hidden-or-webdav-remote-shares.asciidoc new file mode 100644 index 0000000000..a0cd039ec8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-mounting-hidden-or-webdav-remote-shares.asciidoc @@ -0,0 +1,103 @@ +[[prebuilt-rule-8-11-3-mounting-hidden-or-webdav-remote-shares]] +=== Mounting Hidden or WebDav Remote Shares + +Identifies the use of net.exe to mount a WebDav or hidden remote share. This may indicate lateral movement or preparation for data exfiltration. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Lateral Movement +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + ((process.name : "net.exe" or process.pe.original_file_name == "net.exe") or ((process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and + not process.parent.name : "net.exe")) and + process.args : "use" and + /* including hidden and webdav based online shares such as onedrive */ + process.args : ("\\\\*\\*$*", "\\\\*@SSL\\*", "http*") and + /* excluding shares deletion operation */ + not process.args : "/d*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SMB/Windows Admin Shares +** ID: T1021.002 +** Reference URL: https://attack.mitre.org/techniques/T1021/002/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Local Accounts +** ID: T1078.003 +** Reference URL: https://attack.mitre.org/techniques/T1078/003/ +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Account Discovery +** ID: T1087 +** Reference URL: https://attack.mitre.org/techniques/T1087/ +* Sub-technique: +** Name: Local Account +** ID: T1087.001 +** Reference URL: https://attack.mitre.org/techniques/T1087/001/ +* Sub-technique: +** Name: Domain Account +** ID: T1087.002 +** Reference URL: https://attack.mitre.org/techniques/T1087/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-ms-office-macro-security-registry-modifications.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-ms-office-macro-security-registry-modifications.asciidoc new file mode 100644 index 0000000000..7c5802dec5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-ms-office-macro-security-registry-modifications.asciidoc @@ -0,0 +1,142 @@ +[[prebuilt-rule-8-11-3-ms-office-macro-security-registry-modifications]] +=== MS Office Macro Security Registry Modifications + +Microsoft Office Products offer options for users and developers to control the security settings for running and using Macros. Adversaries may abuse these security settings to modify the default behavior of the Office Application to trust future macros and/or disable security warnings, which could increase their chances of establishing persistence. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating MS Office Macro Security Registry Modifications + +Macros are small programs that are used to automate repetitive tasks in Microsoft Office applications. Historically, macros have been used for a variety of reasons -- from automating part of a job, to building entire processes and data flows. Macros are written in Visual Basic for Applications (VBA) and are saved as part of Microsoft Office files. + +Macros are often created for legitimate reasons, but they can also be written by attackers to gain access, harm a system, or bypass other security controls such as application allow listing. In fact, exploitation from malicious macros is one of the top ways that organizations are compromised today. These attacks are often conducted through phishing or spear phishing campaigns. + +Attackers can convince victims to modify Microsoft Office security settings, so their macros are trusted by default and no warnings are displayed when they are executed. These settings include: + +- *Trust access to the VBA project object model* - When enabled, Microsoft Office will trust all macros and run any code without showing a security warning or requiring user permission. +- *VbaWarnings* - When set to 1, Microsoft Office will trust all macros and run any code without showing a security warning or requiring user permission. + +This rule looks for registry changes affecting the conditions above. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the user and check if the change was done manually. +- Verify whether malicious macros were executed after the registry change. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Retrieve recently executed Office documents and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Reset the registry key value. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Explore using GPOs to manage security settings for Microsoft Office macros. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and event.type == "change" and + registry.path : ( + "HKU\\S-1-5-21-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\AccessVBOM", + "HKU\\S-1-5-21-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\VbaWarnings", + "HKU\\S-1-12-1-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\AccessVBOM", + "HKU\\S-1-12-1-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\VbaWarnings", + "\\REGISTRY\\USER\\S-1-5-21-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\AccessVBOM", + "\\REGISTRY\\USER\\S-1-5-21-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\VbaWarnings", + "\\REGISTRY\\USER\\S-1-12-1-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\AccessVBOM", + "\\REGISTRY\\USER\\S-1-12-1-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\VbaWarnings" + ) and + registry.data.strings : ("0x00000001", "1") and + process.name : ("cscript.exe", "wscript.exe", "mshta.exe", "mshta.exe", "winword.exe", "excel.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: User Execution +** ID: T1204 +** Reference URL: https://attack.mitre.org/techniques/T1204/ +* Sub-technique: +** Name: Malicious File +** ID: T1204.002 +** Reference URL: https://attack.mitre.org/techniques/T1204/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-multiple-logon-failure-followed-by-logon-success.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-multiple-logon-failure-followed-by-logon-success.asciidoc new file mode 100644 index 0000000000..6e2a739ee9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-multiple-logon-failure-followed-by-logon-success.asciidoc @@ -0,0 +1,145 @@ +[[prebuilt-rule-8-11-3-multiple-logon-failure-followed-by-logon-success]] +=== Multiple Logon Failure Followed by Logon Success + +Identifies multiple logon failures followed by a successful one from the same source address. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Resources: Investigation Guide + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Multiple Logon Failure Followed by Logon Success + +Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/). + +This rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker potentially successfully compromised the account. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the logon failure reason code and the targeted user name. + - Prioritize the investigation if the account is critical or has administrative privileges over the domain. +- Investigate the source IP address of the failed Network Logon attempts. + - Identify whether these attempts are coming from the internet or are internal. +- Investigate other alerts associated with the involved users and source host during the past 48 hours. +- Identify the source and the target computer and their roles in the IT environment. +- Check whether the involved credentials are used in automation or scheduled tasks. +- If this activity is suspicious, contact the account owner and confirm whether they are aware of it. +- Examine the source host for derived artifacts that indicate compromise: + - Observe and collect information about the following activities in the alert source host: + - Attempts to contact external domains and addresses. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity. + +### False positive analysis + +- Authentication misconfiguration or obsolete credentials. +- Service account password expired. +- Domain trust relationship issues. +- Infrastructure or availability issues. + +### Related rules + +- Multiple Logon Failure from the same Source Address - 48b6edfc-079d-4907-b43c-baffa243270d + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the source host to prevent further post-compromise behavior. +- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by winlog.computer_name, source.ip with maxspan=5s + [authentication where event.action == "logon-failed" and + /* event 4625 need to be logged */ + winlog.logon.type : "Network" and + source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and + not user.name : ("ANONYMOUS LOGON", "-", "*$") and not user.domain == "NT AUTHORITY" and + + /* noisy failure status codes often associated to authentication misconfiguration */ + not winlog.event_data.Status : ("0xC000015B", "0XC000005E", "0XC0000133", "0XC0000192")] with runs=5 + [authentication where event.action == "logged-in" and + /* event 4624 need to be logged */ + winlog.logon.type : "Network" and + source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and + not user.name : ("ANONYMOUS LOGON", "-", "*$") and not user.domain == "NT AUTHORITY"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ +* Sub-technique: +** Name: Password Guessing +** ID: T1110.001 +** Reference URL: https://attack.mitre.org/techniques/T1110/001/ +* Sub-technique: +** Name: Password Spraying +** ID: T1110.003 +** Reference URL: https://attack.mitre.org/techniques/T1110/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-multiple-logon-failure-from-the-same-source-address.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-multiple-logon-failure-from-the-same-source-address.asciidoc new file mode 100644 index 0000000000..0017a7070a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-multiple-logon-failure-from-the-same-source-address.asciidoc @@ -0,0 +1,150 @@ +[[prebuilt-rule-8-11-3-multiple-logon-failure-from-the-same-source-address]] +=== Multiple Logon Failure from the same Source Address + +Identifies multiple consecutive logon failures from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 +* https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624 +* https://social.technet.microsoft.com/Forums/ie/en-US/c82ac4f3-a235-472c-9fd3-53aa646cfcfd/network-information-missing-in-event-id-4624?forum=winserversecurity +* https://serverfault.com/questions/379092/remote-desktop-failed-logon-event-4625-not-logging-ip-address-on-2008-terminal-s/403638#403638 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Resources: Investigation Guide + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Multiple Logon Failure from the same Source Address + +Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/). + +This rule identifies potential password guessing/brute force activity from a single address. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the logon failure reason code and the targeted user names. + - Prioritize the investigation if the account is critical or has administrative privileges over the domain. +- Investigate the source IP address of the failed Network Logon attempts. + - Identify whether these attempts are coming from the internet or are internal. +- Investigate other alerts associated with the involved users and source host during the past 48 hours. +- Identify the source and the target computer and their roles in the IT environment. +- Check whether the involved credentials are used in automation or scheduled tasks. +- If this activity is suspicious, contact the account owner and confirm whether they are aware of it. +- Examine the source host for derived artifacts that indicate compromise: + - Observe and collect information about the following activities in the alert source host: + - Attempts to contact external domains and addresses. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity + +### False positive analysis + +- Understand the context of the authentications by contacting the asset owners. This activity can be related to a new or existing automation or business process that is in a failing state. +- Authentication misconfiguration or obsolete credentials. +- Service account password expired. +- Domain trust relationship issues. +- Infrastructure or availability issues. + +### Related rules + +- Multiple Logon Failure Followed by Logon Success - 4e85dc8a-3e41-40d8-bc28-91af7ac6cf60 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the source host to prevent further post-compromise behavior. +- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by winlog.computer_name, source.ip with maxspan=10s + [authentication where event.action == "logon-failed" and + /* event 4625 need to be logged */ + winlog.logon.type : "Network" and + source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and + not user.name : ("ANONYMOUS LOGON", "-", "*$") and not user.domain == "NT AUTHORITY" and + + /* + noisy failure status codes often associated to authentication misconfiguration : + 0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine. + 0XC000005E - There are currently no logon servers available to service the logon request. + 0XC0000133 - Clocks between DC and other computer too far out of sync. + 0XC0000192 An attempt was made to logon, but the Netlogon service was not started. + */ + not winlog.event_data.Status : ("0xC000015B", "0XC000005E", "0XC0000133", "0XC0000192")] with runs=10 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ +* Sub-technique: +** Name: Password Guessing +** ID: T1110.001 +** Reference URL: https://attack.mitre.org/techniques/T1110/001/ +* Sub-technique: +** Name: Password Spraying +** ID: T1110.003 +** Reference URL: https://attack.mitre.org/techniques/T1110/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-multiple-vault-web-credentials-read.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-multiple-vault-web-credentials-read.asciidoc new file mode 100644 index 0000000000..b4e67fc952 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-multiple-vault-web-credentials-read.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-8-11-3-multiple-vault-web-credentials-read]] +=== Multiple Vault Web Credentials Read + +Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382 +* https://www.elastic.co/security-labs/detect-credential-access + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by winlog.computer_name, winlog.process.pid with maxspan=1s + + /* 2 consecutive vault reads from same pid for web creds */ + + [any where event.code : "5382" and + (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and + not winlog.event_data.SubjectLogonId : "0x3e7" and + not winlog.event_data.Resource : "http://localhost/"] + + [any where event.code : "5382" and + (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and + not winlog.event_data.SubjectLogonId : "0x3e7" and + not winlog.event_data.Resource : "http://localhost/"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Windows Credential Manager +** ID: T1555.004 +** Reference URL: https://attack.mitre.org/techniques/T1555/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-namespace-manipulation-using-unshare.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-namespace-manipulation-using-unshare.asciidoc new file mode 100644 index 0000000000..0ed35bef26 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-namespace-manipulation-using-unshare.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-11-3-namespace-manipulation-using-unshare]] +=== Namespace Manipulation Using Unshare + +Identifies suspicious usage of unshare to manipulate system namespaces. Unshare can be utilized to escalate privileges or escape container security boundaries. Threat actors have utilized this binary to allow themselves to escape to the host and access other resources or escalate privileges. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://man7.org/linux/man-pages/man1/unshare.1.html +* https://www.crowdstrike.com/blog/cve-2022-0185-kubernetes-container-escape-using-linux-kernel-exploit/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "exec_event") and +process.executable: "/usr/bin/unshare" and +not process.parent.executable: ("/usr/bin/udevadm", "*/lib/systemd/systemd-udevd", "/usr/bin/unshare") and +not process.args : "/usr/bin/snap" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-netcat-listener-established-via-rlwrap.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-netcat-listener-established-via-rlwrap.asciidoc new file mode 100644 index 0000000000..77bc0fad95 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-netcat-listener-established-via-rlwrap.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-8-11-3-netcat-listener-established-via-rlwrap]] +=== Netcat Listener Established via rlwrap + +Monitors for the execution of a netcat listener via rlwrap. rlwrap is a 'readline wrapper', a small utility that uses the GNU Readline library to allow the editing of keyboard input for any command. This utility can be used in conjunction with netcat to gain a more stable reverse shell. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process.name == "rlwrap" and process.args in ( + "nc", "ncat", "netcat", "nc.openbsd", "socat" +) and process.args : "*l*" and process.args_count >= 4 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-network-activity-detected-via-cat.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-network-activity-detected-via-cat.asciidoc new file mode 100644 index 0000000000..eb322bc210 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-network-activity-detected-via-cat.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-11-3-network-activity-detected-via-cat]] +=== Network Activity Detected via cat + +This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat is capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel. This activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools or files to another host in the network or exfiltrate data while attempting to evade detection in the process. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Command and Control +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan=1s + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name == "cat" and + process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] + [network where host.os.type == "linux" and event.action in ("connection_attempted", "disconnect_received") and process.name == "cat" and + destination.ip != null and not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-network-activity-detected-via-kworker.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-network-activity-detected-via-kworker.asciidoc new file mode 100644 index 0000000000..ee722e2c9f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-network-activity-detected-via-kworker.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-8-11-3-network-activity-detected-via-kworker]] +=== Network Activity Detected via Kworker + +This rule monitors for network connections from a kworker process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-60m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Command and Control +* Data Source: Elastic Defend + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and +process.name:kworker* + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Technique: +** Name: Rootkit +** ID: T1014 +** Reference URL: https://attack.mitre.org/techniques/T1014/ +* Tactic: +** Name: Exfiltration +** ID: TA0010 +** Reference URL: https://attack.mitre.org/tactics/TA0010/ +* Technique: +** Name: Exfiltration Over C2 Channel +** ID: T1041 +** Reference URL: https://attack.mitre.org/techniques/T1041/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-network-connection-via-recently-compiled-executable.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-network-connection-via-recently-compiled-executable.asciidoc new file mode 100644 index 0000000000..701d1a9380 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-network-connection-via-recently-compiled-executable.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-8-11-3-network-connection-via-recently-compiled-executable]] +=== Network Connection via Recently Compiled Executable + +This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent network connection event. This behavior can indicate the set up of a reverse tcp connection to a command-and-control server. Attackers may spawn reverse shells to establish persistence onto a target system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=1m + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.name in ("gcc", "g++", "cc")] by process.args + [file where host.os.type == "linux" and event.action == "creation" and process.name == "ld"] by file.name + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start"] by process.name + [network where host.os.type == "linux" and event.action == "connection_attempted"] by process.name + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-network-logon-provider-registry-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-network-logon-provider-registry-modification.asciidoc new file mode 100644 index 0000000000..aae8a51378 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-network-logon-provider-registry-modification.asciidoc @@ -0,0 +1,90 @@ +[[prebuilt-rule-8-11-3-network-logon-provider-registry-modification]] +=== Network Logon Provider Registry Modification + +Identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in clear text during user logon. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy +* https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Credential Access +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and registry.data.strings : "?*" and + registry.path : ( + "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\NetworkProvider\\ProviderPath", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\*\\NetworkProvider\\ProviderPath" + ) and + /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */ + not ( + user.id : "S-1-5-18" and + registry.data.strings : ( + "%SystemRoot%\\System32\\ntlanman.dll", + "%SystemRoot%\\System32\\drprov.dll", + "%SystemRoot%\\System32\\davclnt.dll", + "%SystemRoot%\\System32\\vmhgfs.dll", + "?:\\Program Files (x86)\\Citrix\\ICA Client\\x64\\pnsson.dll", + "?:\\Program Files\\Dell\\SARemediation\\agent\\DellMgmtNP.dll", + "?:\\Program Files (x86)\\CheckPoint\\Endpoint Connect\\\\epcgina.dll" + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Modify Authentication Process +** ID: T1556 +** Reference URL: https://attack.mitre.org/techniques/T1556/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-new-activesyncalloweddeviceid-added-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-new-activesyncalloweddeviceid-added-via-powershell.asciidoc new file mode 100644 index 0000000000..441cc45d52 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-new-activesyncalloweddeviceid-added-via-powershell.asciidoc @@ -0,0 +1,84 @@ +[[prebuilt-rule-8-11-3-new-activesyncalloweddeviceid-added-via-powershell]] +=== New ActiveSyncAllowedDeviceID Added via PowerShell + +Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ +* https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.name: ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and process.args : "Set-CASMailbox*ActiveSyncAllowedDeviceIDs*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ +* Sub-technique: +** Name: Additional Email Delegate Permissions +** ID: T1098.002 +** Reference URL: https://attack.mitre.org/techniques/T1098/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-new-systemd-service-created-by-previously-unknown-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-new-systemd-service-created-by-previously-unknown-process.asciidoc new file mode 100644 index 0000000000..319a83a7dc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-new-systemd-service-created-by-previously-unknown-process.asciidoc @@ -0,0 +1,94 @@ +[[prebuilt-rule-8-11-3-new-systemd-service-created-by-previously-unknown-process]] +=== New Systemd Service Created by Previously Unknown Process + +Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://opensource.com/article/20/7/systemd-timers +* https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Privilege Escalation +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:linux and event.category:file and event.action:("creation" or "file_create_event") and file.path:( + /etc/systemd/system/* or + /usr/local/lib/systemd/system/* or + /lib/systemd/system/* or + /usr/lib/systemd/system/* or + /home/*/.config/systemd/user/* +) and +not ( + process.name:( + "dpkg" or "dockerd" or "rpm" or "snapd" or "yum" or "exe" or "dnf" or "dnf-automatic" or python* or "puppetd" or + "elastic-agent" or "cinc-client" or "chef-client" or "pacman" or "puppet" or "cloudflared" + ) or + file.extension:("swp" or "swpx") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Systemd Service +** ID: T1543.002 +** Reference URL: https://attack.mitre.org/techniques/T1543/002/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Systemd Service +** ID: T1543.002 +** Reference URL: https://attack.mitre.org/techniques/T1543/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-new-systemd-timer-created.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-new-systemd-timer-created.asciidoc new file mode 100644 index 0000000000..2bc0d0f8ce --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-new-systemd-timer-created.asciidoc @@ -0,0 +1,140 @@ +[[prebuilt-rule-8-11-3-new-systemd-timer-created]] +=== New Systemd Timer Created + +Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in case the connection to the infected asset was lost. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://opensource.com/article/20/7/systemd-timers +* https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating New Systemd Timer Created + +Systemd timers are used for scheduling and automating recurring tasks or services on Linux systems. + +Attackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. + +This rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible Investigation Steps + +- Investigate the timer file that was created or modified. + - !{osquery{"label":"Osquery - Retrieve File Information","query":"SELECT * FROM file WHERE path = {{file.path}}"}} +- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`. +- Search for the systemd service file named similarly to the timer that was created. +- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery. + - !{osquery{"label":"Osquery - Retrieve File Listing Information","query":"SELECT * FROM file WHERE (\npath LIKE '/etc/systemd/system/%' OR \npath LIKE '/usr/local/lib/systemd/system/%' OR \npath LIKE '/lib/systemd/system/%' OR\npath LIKE '/usr/lib/systemd/system/%' OR\npath LIKE '/home/user/.config/systemd/user/%'\n)\n"}} + - !{osquery{"label":"Osquery - Retrieve Additional File Listing Information","query":"SELECT\n f.path,\n u.username AS file_owner,\n g.groupname AS group_owner,\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\n datetime(f.btime, 'unixepoch') AS file_created_time,\n f.size AS size_bytes\nFROM\n file f\n LEFT JOIN users u ON f.uid = u.uid\n LEFT JOIN groups g ON f.gid = g.gid\nWHERE (\npath LIKE '/etc/systemd/system/%' OR \npath LIKE '/usr/local/lib/systemd/system/%' OR \npath LIKE '/lib/systemd/system/%' OR\npath LIKE '/usr/lib/systemd/system/%' OR\npath LIKE '/home/{{user.name}}/.config/systemd/user/%'\n)\n"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} + +### False Positive Analysis + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the service/timer or restore its original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type : "linux" and event.action : ("creation" or "file_create_event") and file.extension : "timer" and +file.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or +/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not process.name : ( + "docker" or "dockerd" or "dnf" or "yum" or "rpm" or "dpkg" or "executor" or "cloudflared" +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Systemd Timers +** ID: T1053.006 +** Reference URL: https://attack.mitre.org/techniques/T1053/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-nping-process-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-nping-process-activity.asciidoc new file mode 100644 index 0000000000..c844e6e453 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-nping-process-activity.asciidoc @@ -0,0 +1,64 @@ +[[prebuilt-rule-8-11-3-nping-process-activity]] +=== Nping Process Activity + +Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://en.wikipedia.org/wiki/Nmap + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and process.name == "nping" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Network Service Discovery +** ID: T1046 +** Reference URL: https://attack.mitre.org/techniques/T1046/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-ntds-or-sam-database-file-copied.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-ntds-or-sam-database-file-copied.asciidoc new file mode 100644 index 0000000000..c66b4406f1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-ntds-or-sam-database-file-copied.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-8-11-3-ntds-or-sam-database-file-copied]] +=== NTDS or SAM Database File Copied + +Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 33 + +*References*: + +* https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/ +* https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy +* https://www.elastic.co/security-labs/detect-credential-access + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + ( + (process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE", "XCOPY.EXE") and + process.args : ("copy", "xcopy", "Copy-Item", "move", "cp", "mv") + ) or + (process.pe.original_file_name : "esentutl.exe" and process.args : ("*/y*", "*/vss*", "*/d*")) + ) and + process.args : ("*\\ntds.dit", "*\\config\\SAM", "\\*\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*\\*", "*/system32/config/SAM*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: Security Account Manager +** ID: T1003.002 +** Reference URL: https://attack.mitre.org/techniques/T1003/002/ +* Sub-technique: +** Name: NTDS +** ID: T1003.003 +** Reference URL: https://attack.mitre.org/techniques/T1003/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-peripheral-device-discovery.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-peripheral-device-discovery.asciidoc new file mode 100644 index 0000000000..67b0f52e71 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-peripheral-device-discovery.asciidoc @@ -0,0 +1,103 @@ +[[prebuilt-rule-8-11-3-peripheral-device-discovery]] +=== Peripheral Device Discovery + +Identifies use of the Windows file system utility (fsutil.exe) to gather information about attached peripheral devices and components connected to a computer system. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Discovery +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Peripheral Device Discovery + +After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software. + +This rule looks for the execution of the `fsutil` utility with the `fsinfo` subcommand to enumerate drives attached to the computer, which can be used to identify secondary drives used for backups, mapped network drives, and removable media. These devices can contain valuable information for attackers. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections. +- Determine whether this activity was followed by suspicious file access/copy operations or uploads to file storage services. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "fsutil.exe" or process.pe.original_file_name == "fsutil.exe") and + process.args : "fsinfo" and process.args : "drives" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Peripheral Device Discovery +** ID: T1120 +** Reference URL: https://attack.mitre.org/techniques/T1120/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-bits-job-notify-cmdline.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-bits-job-notify-cmdline.asciidoc new file mode 100644 index 0000000000..105f8088a0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-bits-job-notify-cmdline.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-8-11-3-persistence-via-bits-job-notify-cmdline]] +=== Persistence via BITS Job Notify Cmdline + +An adversary can use the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program that runs after a job finishes transferring data or after a job enters a specified state in order to persist on a system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://pentestlab.blog/2019/10/30/persistence-bits-jobs/ +* https://docs.microsoft.com/en-us/windows/win32/api/bits1_5/nf-bits1_5-ibackgroundcopyjob2-setnotifycmdline +* https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-setnotifycmdline +* https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "svchost.exe" and process.parent.args : "BITS" and + not process.executable : + ("?:\\Windows\\System32\\WerFaultSecure.exe", + "?:\\Windows\\System32\\WerFault.exe", + "?:\\Windows\\System32\\wermgr.exe", + "?:\\WINDOWS\\system32\\directxdatabaseupdater.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: BITS Jobs +** ID: T1197 +** Reference URL: https://attack.mitre.org/techniques/T1197/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-hidden-run-key-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-hidden-run-key-detected.asciidoc new file mode 100644 index 0000000000..d4e6544d3b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-hidden-run-key-detected.asciidoc @@ -0,0 +1,101 @@ +[[prebuilt-rule-8-11-3-persistence-via-hidden-run-key-detected]] +=== Persistence via Hidden Run Key Detected + +Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit). + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/outflanknl/SharpHide +* https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +/* Registry Path ends with backslash */ +registry where host.os.type == "windows" and /* length(registry.data.strings) > 0 and */ + registry.path : ("HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", + "HKU\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", + "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", + "HKLM\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\", + "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", + "HKU\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", + "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", + "\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", + "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", + "\\REGISTRY\\MACHINE\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\", + "\\REGISTRY\\USER\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", + "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Registry Run Keys / Startup Folder +** ID: T1547.001 +** Reference URL: https://attack.mitre.org/techniques/T1547/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-kde-autostart-script-or-desktop-file-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-kde-autostart-script-or-desktop-file-modification.asciidoc new file mode 100644 index 0000000000..8f4b293c85 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-kde-autostart-script-or-desktop-file-modification.asciidoc @@ -0,0 +1,80 @@ +[[prebuilt-rule-8-11-3-persistence-via-kde-autostart-script-or-desktop-file-modification]] +=== Persistence via KDE AutoStart Script or Desktop File Modification + +Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://userbase.kde.org/System_Settings/Autostart +* https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/ +* https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.type != "deletion" and + file.extension in ("sh", "desktop") and + file.path : + ( + "/home/*/.config/autostart/*", "/root/.config/autostart/*", + "/home/*/.kde/Autostart/*", "/root/.kde/Autostart/*", + "/home/*/.kde4/Autostart/*", "/root/.kde4/Autostart/*", + "/home/*/.kde/share/autostart/*", "/root/.kde/share/autostart/*", + "/home/*/.kde4/share/autostart/*", "/root/.kde4/share/autostart/*", + "/home/*/.local/share/autostart/*", "/root/.local/share/autostart/*", + "/home/*/.config/autostart-scripts/*", "/root/.config/autostart-scripts/*", + "/etc/xdg/autostart/*", "/usr/share/autostart/*" + ) and + not process.name in ("yum", "dpkg", "install", "dnf", "teams", "yum-cron", "dnf-automatic", "docker", "dockerd", + "rpm") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-login-or-logout-hook.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-login-or-logout-hook.asciidoc new file mode 100644 index 0000000000..3f16ac4276 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-login-or-logout-hook.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-8-11-3-persistence-via-login-or-logout-hook]] +=== Persistence via Login or Logout Hook + +Identifies use of the Defaults command to install a login or logoff hook in MacOS. An adversary may abuse this capability to establish persistence in an environment by inserting code to be executed at login or logout. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.virusbulletin.com/uploads/pdf/conference_slides/2014/Wardle-VB2014.pdf +* https://www.manpagez.com/man/1/defaults/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type == "start" and + process.name == "defaults" and process.args == "write" and process.args : ("LoginHook", "LogoutHook") and + not process.args : + ( + "Support/JAMF/ManagementFrameworkScripts/logouthook.sh", + "Support/JAMF/ManagementFrameworkScripts/loginhook.sh", + "/Library/Application Support/JAMF/ManagementFrameworkScripts/logouthook.sh", + "/Library/Application Support/JAMF/ManagementFrameworkScripts/loginhook.sh" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-microsoft-office-addins.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-microsoft-office-addins.asciidoc new file mode 100644 index 0000000000..cef0f1f265 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-microsoft-office-addins.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-8-11-3-persistence-via-microsoft-office-addins]] +=== Persistence via Microsoft Office AddIns + +Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type != "deletion" and + file.extension : ("wll","xll","ppa","ppam","xla","xlam") and + file.path : + ( + "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*", + "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*", + "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Office Application Startup +** ID: T1137 +** Reference URL: https://attack.mitre.org/techniques/T1137/ +* Sub-technique: +** Name: Add-ins +** ID: T1137.006 +** Reference URL: https://attack.mitre.org/techniques/T1137/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-microsoft-outlook-vba.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-microsoft-outlook-vba.asciidoc new file mode 100644 index 0000000000..87fb30eef2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-microsoft-outlook-vba.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-11-3-persistence-via-microsoft-outlook-vba]] +=== Persistence via Microsoft Outlook VBA + +Detects attempts to establish persistence on an endpoint by installing a rogue Microsoft Outlook VBA Template. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ +* https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type != "deletion" and + file.path : "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Office Application Startup +** ID: T1137 +** Reference URL: https://attack.mitre.org/techniques/T1137/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-scheduled-job-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-scheduled-job-creation.asciidoc new file mode 100644 index 0000000000..2720c999ad --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-scheduled-job-creation.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-11-3-persistence-via-scheduled-job-creation]] +=== Persistence via Scheduled Job Creation + +A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type != "deletion" and + file.path : "?:\\Windows\\Tasks\\*" and file.extension : "job" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-telemetrycontroller-scheduled-task-hijack.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-telemetrycontroller-scheduled-task-hijack.asciidoc new file mode 100644 index 0000000000..720d21e07c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-telemetrycontroller-scheduled-task-hijack.asciidoc @@ -0,0 +1,97 @@ +[[prebuilt-rule-8-11-3-persistence-via-telemetrycontroller-scheduled-task-hijack]] +=== Persistence via TelemetryController Scheduled Task Hijack + +Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Privilege Escalation +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "CompatTelRunner.exe" and process.args : "-cv*" and + not process.name : ("conhost.exe", + "DeviceCensus.exe", + "CompatTelRunner.exe", + "DismHost.exe", + "rundll32.exe", + "powershell.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-update-orchestrator-service-hijack.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-update-orchestrator-service-hijack.asciidoc new file mode 100644 index 0000000000..ecdddba22a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-update-orchestrator-service-hijack.asciidoc @@ -0,0 +1,160 @@ +[[prebuilt-rule-8-11-3-persistence-via-update-orchestrator-service-hijack]] +=== Persistence via Update Orchestrator Service Hijack + +Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/irsl/CVE-2020-1313 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Privilege Escalation +* Use Case: Vulnerability +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Persistence via Update Orchestrator Service Hijack + +Windows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server Core products. Fixed by Microsoft on Patch Tuesday June 2020. + +This rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters. Attackers can leverage this technique to elevate privileges or maintain persistence. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.executable : "C:\\Windows\\System32\\svchost.exe" and + process.parent.args : "UsoSvc" and + not process.executable : + ("?:\\ProgramData\\Microsoft\\Windows\\UUS\\Packages\\*\\amd64\\MoUsoCoreWorker.exe", + "?:\\Windows\\System32\\UsoClient.exe", + "?:\\Windows\\System32\\MusNotification.exe", + "?:\\Windows\\System32\\MusNotificationUx.exe", + "?:\\Windows\\System32\\MusNotifyIcon.exe", + "?:\\Windows\\System32\\WerFault.exe", + "?:\\Windows\\System32\\WerMgr.exe", + "?:\\Windows\\UUS\\amd64\\MoUsoCoreWorker.exe", + "?:\\Windows\\System32\\MoUsoCoreWorker.exe", + "?:\\Windows\\UUS\\amd64\\UsoCoreWorker.exe", + "?:\\Windows\\System32\\UsoCoreWorker.exe", + "?:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe") and + not process.name : ("MoUsoCoreWorker.exe", "OfficeC2RClient.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Windows Service +** ID: T1543.003 +** Reference URL: https://attack.mitre.org/techniques/T1543/003/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-wmi-event-subscription.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-wmi-event-subscription.asciidoc new file mode 100644 index 0000000000..a88875a837 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistence-via-wmi-event-subscription.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-8-11-3-persistence-via-wmi-event-subscription]] +=== Persistence via WMI Event Subscription + +An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "wmic.exe" or process.pe.original_file_name == "wmic.exe") and + process.args : "create" and + process.args : ("ActiveScriptEventConsumer", "CommandLineEventConsumer") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Windows Management Instrumentation Event Subscription +** ID: T1546.003 +** Reference URL: https://attack.mitre.org/techniques/T1546/003/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Windows Management Instrumentation +** ID: T1047 +** Reference URL: https://attack.mitre.org/techniques/T1047/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistent-scripts-in-the-startup-directory.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistent-scripts-in-the-startup-directory.asciidoc new file mode 100644 index 0000000000..6167a29c1d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-persistent-scripts-in-the-startup-directory.asciidoc @@ -0,0 +1,147 @@ +[[prebuilt-rule-8-11-3-persistent-scripts-in-the-startup-directory]] +=== Persistent Scripts in the Startup Directory + +Identifies script engines creating files in the Startup folder, or the creation of script files in the Startup folder. Adversaries may abuse this technique to maintain persistence in an environment. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Persistent Scripts in the Startup Directory + +The Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence. + +This rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the file using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Related rules + +- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff +- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type != "deletion" and user.domain != "NT AUTHORITY" and + + /* detect shortcuts created by wscript.exe or cscript.exe */ + (file.path : "C:\\*\\Programs\\Startup\\*.lnk" and + process.name : ("wscript.exe", "cscript.exe")) or + + /* detect vbs or js files created by any process */ + file.path : ("C:\\*\\Programs\\Startup\\*.vbs", + "C:\\*\\Programs\\Startup\\*.vbe", + "C:\\*\\Programs\\Startup\\*.wsh", + "C:\\*\\Programs\\Startup\\*.wsf", + "C:\\*\\Programs\\Startup\\*.js") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Registry Run Keys / Startup Folder +** ID: T1547.001 +** Reference URL: https://attack.mitre.org/techniques/T1547/001/ +* Sub-technique: +** Name: Shortcut Modification +** ID: T1547.009 +** Reference URL: https://attack.mitre.org/techniques/T1547/009/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-port-forwarding-rule-addition.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-port-forwarding-rule-addition.asciidoc new file mode 100644 index 0000000000..c85930312c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-port-forwarding-rule-addition.asciidoc @@ -0,0 +1,128 @@ +[[prebuilt-rule-8-11-3-port-forwarding-rule-addition]] +=== Port Forwarding Rule Addition + +Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Port Forwarding Rule Addition + +Network port forwarding is a mechanism to redirect incoming TCP connections (IPv4 or IPv6) from the local TCP port to any other port number, or even to a port on a remote computer. + +Attackers may configure port forwarding rules to bypass network segmentation restrictions, using the host as a jump box to access previously unreachable systems. + +This rule monitors the modifications to the `HKLM\SYSTEM\*ControlSet*\Services\PortProxy\v4tov4\` subkeys. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account and system owners and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Identify the target host IP address, check the connections originating from the host where the modification occurred, and inspect the credentials used. + - Investigate suspicious login activity, such as unauthorized access and logins from outside working hours and unusual locations. + +### False positive analysis + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration. +- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Delete the port forwarding rule. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and registry.path : ( + "HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\*", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\*" +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Protocol Tunneling +** ID: T1572 +** Reference URL: https://attack.mitre.org/techniques/T1572/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-application-shimming-via-sdbinst.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-application-shimming-via-sdbinst.asciidoc new file mode 100644 index 0000000000..e74cd2fac7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-application-shimming-via-sdbinst.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-8-11-3-potential-application-shimming-via-sdbinst]] +=== Potential Application Shimming via Sdbinst + +The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and process.name : "sdbinst.exe" and + not (process.args : "-m" and process.args : "-bg") and + not process.args : "-mm" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Application Shimming +** ID: T1546.011 +** Reference URL: https://attack.mitre.org/techniques/T1546/011/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Application Shimming +** ID: T1546.011 +** Reference URL: https://attack.mitre.org/techniques/T1546/011/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-code-execution-via-postgresql.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-code-execution-via-postgresql.asciidoc new file mode 100644 index 0000000000..d053b71983 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-code-execution-via-postgresql.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-11-3-potential-code-execution-via-postgresql]] +=== Potential Code Execution via Postgresql + +This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities for unauthorized access and malicious actions. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event", "fork", "fork_event") and +event.type == "start" and user.name == "postgres" and ( + (process.parent.args : "*sh" and process.parent.args : "echo*") or + (process.args : "*sh" and process.args : "echo*") +) and not process.parent.name : "puppet" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-cookies-theft-via-browser-debugging.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-cookies-theft-via-browser-debugging.asciidoc new file mode 100644 index 0000000000..7e1b907c19 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-cookies-theft-via-browser-debugging.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-8-11-3-potential-cookies-theft-via-browser-debugging]] +=== Potential Cookies Theft via Browser Debugging + +Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 33 + +*References*: + +* https://github.com/defaultnamehere/cookie_crimes +* https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/ +* https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md +* https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* OS: Windows +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 104 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started", "info") and + process.name in ( + "Microsoft Edge", + "chrome.exe", + "Google Chrome", + "google-chrome-stable", + "google-chrome-beta", + "google-chrome", + "msedge.exe") and + process.args : ("--remote-debugging-port=*", + "--remote-debugging-targets=*", + "--remote-debugging-pipe=*") and + process.args : "--user-data-dir=*" and not process.args:"--remote-debugging-port=0" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal Web Session Cookie +** ID: T1539 +** Reference URL: https://attack.mitre.org/techniques/T1539/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-credential-access-via-dcsync.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-credential-access-via-dcsync.asciidoc new file mode 100644 index 0000000000..1d32573730 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-credential-access-via-dcsync.asciidoc @@ -0,0 +1,155 @@ +[[prebuilt-rule-8-11-3-potential-credential-access-via-dcsync]] +=== Potential Credential Access via DCSync + +This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html +* https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing +* https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml +* https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md +* https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync +* https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Privilege Escalation +* Data Source: Active Directory +* Resources: Investigation Guide +* Use Case: Active Directory Monitoring + +*Version*: 111 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Credential Access via DCSync + +Active Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data. + +Active Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object. + +Adversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys used legitimately for tickets creation, but also tickets forging by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate. + +More details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync). + +This rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that use the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set). It also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)). + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account and system owners and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not. +- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones). + +### False positive analysis + +- Administrators may use custom accounts on Azure AD Connect, investigate if it is the case, and if it is properly secured. If noisy in your environment due to expected activity, consider adding the corresponding account as a exception. +- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. If this rule is noisy in your environment due to expected activity, consider adding the corresponding account as a exception. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If the entire domain or the `krbtgt` user was compromised: + - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user. +- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +any where event.action == "Directory Service Access" and + event.code == "4662" and winlog.event_data.Properties : ( + + /* Control Access Rights/Permissions Symbol */ + + "*DS-Replication-Get-Changes*", + "*DS-Replication-Get-Changes-All*", + "*DS-Replication-Get-Changes-In-Filtered-Set*", + + /* Identifying GUID used in ACE */ + + "*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*", + "*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*", + "*89e95b76-444d-4c62-991a-0facbeda640c*") + + /* The right to perform an operation controlled by an extended access right. */ + + and winlog.event_data.AccessMask : "0x100" and + not winlog.event_data.SubjectUserName : ( + "*$", "MSOL_*", "OpenDNS_Connector", "adconnect", "SyncADConnect", + "SyncADConnectCM", "aadsync", "svcAzureADSync", "-" + ) + + /* The Umbrella AD Connector uses the OpenDNS_Connector account to perform replication */ + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: DCSync +** ID: T1003.006 +** Reference URL: https://attack.mitre.org/techniques/T1003/006/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Domain Accounts +** ID: T1078.002 +** Reference URL: https://attack.mitre.org/techniques/T1078/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-credential-access-via-duplicatehandle-in-lsass.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-credential-access-via-duplicatehandle-in-lsass.asciidoc new file mode 100644 index 0000000000..84ed30f7a8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-credential-access-via-duplicatehandle-in-lsass.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-11-3-potential-credential-access-via-duplicatehandle-in-lsass]] +=== Potential Credential Access via DuplicateHandle in LSASS + +Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/CCob/MirrorDump + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Sysmon Only + +*Version*: 207 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.code == "10" and + + /* LSASS requesting DuplicateHandle access right to another process */ + process.name : "lsass.exe" and winlog.event_data.GrantedAccess == "0x40" and + + /* call is coming from an unknown executable region */ + winlog.event_data.CallTrace : "*UNKNOWN*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-credential-access-via-lsass-memory-dump.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-credential-access-via-lsass-memory-dump.asciidoc new file mode 100644 index 0000000000..4105f3e852 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-credential-access-via-lsass-memory-dump.asciidoc @@ -0,0 +1,87 @@ +[[prebuilt-rule-8-11-3-potential-credential-access-via-lsass-memory-dump]] +=== Potential Credential Access via LSASS Memory Dump + +Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz +* https://www.elastic.co/security-labs/detect-credential-access + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic:Execution +* Data Source: Sysmon Only + +*Version*: 208 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.code == "10" and + winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe" and + + /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/ + winlog.event_data.CallTrace : ("*dbghelp*", "*dbgcore*") and + + /* case of lsass crashing */ + not process.executable : ( + "?:\\Windows\\System32\\WerFault.exe", + "?:\\Windows\\SysWOW64\\WerFault.exe", + "?:\\Windows\\System32\\WerFaultSecure.exe" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-credential-access-via-renamed-com-services-dll.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-credential-access-via-renamed-com-services-dll.asciidoc new file mode 100644 index 0000000000..711c155982 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-credential-access-via-renamed-com-services-dll.asciidoc @@ -0,0 +1,85 @@ +[[prebuilt-rule-8-11-3-potential-credential-access-via-renamed-com-services-dll]] +=== Potential Credential Access via Renamed COM+ Services DLL + +Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in preparation for credential access. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Defense Evasion +* Data Source: Sysmon Only + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id with maxspan=1m + [process where host.os.type == "windows" and event.category == "process" and + process.name : "rundll32.exe"] + [process where host.os.type == "windows" and event.category == "process" and event.dataset : "windows.sysmon_operational" and event.code == "7" and + (file.pe.original_file_name : "COMSVCS.DLL" or file.pe.imphash : "EADBCCBB324829ACB5F2BBE87E5549A8") and + /* renamed COMSVCS */ + not file.name : "COMSVCS.DLL"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Rundll32 +** ID: T1218.011 +** Reference URL: https://attack.mitre.org/techniques/T1218/011/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-credential-access-via-windows-utilities.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-credential-access-via-windows-utilities.asciidoc new file mode 100644 index 0000000000..e692c6db33 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-credential-access-via-windows-utilities.asciidoc @@ -0,0 +1,161 @@ +[[prebuilt-rule-8-11-3-potential-credential-access-via-windows-utilities]] +=== Potential Credential Access via Windows Utilities + +Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* +* logs-system.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://lolbas-project.github.io/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 110 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Credential Access via Windows Utilities + +Local Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. + +The `Ntds.dit` file is a database that stores Active Directory data, including information about user objects, groups, and group membership. + +This rule looks for the execution of utilities that can extract credential data from the LSASS memory and Active Directory `Ntds.dit` file. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Examine the command line to identify what information was targeted. +- Identify the target computer and its role in the IT environment. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- If the host is a domain controller (DC): + - Activate your incident response plan for total Active Directory compromise. + - Review the privileges assigned to users that can access the DCs, to ensure that the least privilege principle is being followed and to reduce the attack surface. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and +( + ( + (process.pe.original_file_name : "procdump" or process.name : "procdump.exe") and process.args : "-ma" + ) or + ( + process.name : "ProcessDump.exe" and not process.parent.executable regex~ """C:\\Program Files( \(x86\))?\\Cisco Systems\\.*""" + ) or + ( + (process.pe.original_file_name : "WriteMiniDump.exe" or process.name : "WriteMiniDump.exe") and + not process.parent.executable regex~ """C:\\Program Files( \(x86\))?\\Steam\\.*""" + ) or + ( + (process.pe.original_file_name : "RUNDLL32.EXE" or process.name : "RUNDLL32.exe") and + (process.args : "MiniDump*" or process.command_line : "*comsvcs.dll*#24*") + ) or + ( + (process.pe.original_file_name : "RdrLeakDiag.exe" or process.name : "RdrLeakDiag.exe") and + process.args : "/fullmemdmp" + ) or + ( + (process.pe.original_file_name : "SqlDumper.exe" or process.name : "SqlDumper.exe") and + process.args : "0x01100*") or + ( + (process.pe.original_file_name : "TTTracer.exe" or process.name : "TTTracer.exe") and + process.args : "-dumpFull" and process.args : "-attach") or + ( + (process.pe.original_file_name : "ntdsutil.exe" or process.name : "ntdsutil.exe") and + process.args : "create*full*") or + ( + (process.pe.original_file_name : "diskshadow.exe" or process.name : "diskshadow.exe") and process.args : "/s") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ +* Sub-technique: +** Name: NTDS +** ID: T1003.003 +** Reference URL: https://attack.mitre.org/techniques/T1003/003/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Rundll32 +** ID: T1218.011 +** Reference URL: https://attack.mitre.org/techniques/T1218/011/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-curl-cve-2023-38545-exploitation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-curl-cve-2023-38545-exploitation.asciidoc new file mode 100644 index 0000000000..c742b8bdf2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-curl-cve-2023-38545-exploitation.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-11-3-potential-curl-cve-2023-38545-exploitation]] +=== Potential curl CVE-2023-38545 Exploitation + +Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction with an unusual command line length. A flaw in curl version <= 8.3 makes curl vulnerable to a heap based buffer overflow during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be executed with and without the use of environment variables. For increased visibility, enable the collection of http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of this rule. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://curl.se/docs/CVE-2023-38545.html +* https://daniel.haxx.se/blog/2023/10/11/curl-8-4-0/ +* https://twitter.com/_JohnHammond/status/1711986412554531015 + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Use Case: Vulnerability +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name == "curl" +and ( + process.args : ("--socks5-hostname", "--proxy", "--preproxy", "socks5*") or + process.env_vars: ("http_proxy=socks5h://*", "HTTPS_PROXY=socks5h://*", "ALL_PROXY=socks5h://*") +) and length(process.command_line) > 255 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Exploitation for Client Execution +** ID: T1203 +** Reference URL: https://attack.mitre.org/techniques/T1203/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-defense-evasion-via-proot.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-defense-evasion-via-proot.asciidoc new file mode 100644 index 0000000000..d7617bf7f8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-defense-evasion-via-proot.asciidoc @@ -0,0 +1,61 @@ +[[prebuilt-rule-8-11-3-potential-defense-evasion-via-proot]] +=== Potential Defense Evasion via PRoot + +Identifies the execution of the PRoot utility, an open-source tool for user-space implementation of chroot, mount --bind, and binfmt_misc. Adversaries can leverage an open-source tool PRoot to expand the scope of their operations to multiple Linux distributions and simplify their necessary efforts. In a normal threat scenario, the scope of an attack is limited by the varying configurations of each Linux distribution. With PRoot, it provides an attacker with a consistent operational environment across different Linux distributions, such as Ubuntu, Fedora, and Alpine. PRoot also provides emulation capabilities that allow for malware built on other architectures, such as ARM, to be run.The post-exploitation technique called bring your own filesystem (BYOF), can be used by the threat actors to execute malicious payload or elevate privileges or perform network scans or orchestrate another attack on the environment. Although PRoot was originally not developed with malicious intent it can be easily tuned to work for one. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://proot-me.github.io/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.action == "exec" and process.parent.name =="proot" and host.os.type == "linux" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Exploitation for Defense Evasion +** ID: T1211 +** Reference URL: https://attack.mitre.org/techniques/T1211/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-disabling-of-apparmor.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-disabling-of-apparmor.asciidoc new file mode 100644 index 0000000000..3b4beb0792 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-disabling-of-apparmor.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-8-11-3-potential-disabling-of-apparmor]] +=== Potential Disabling of AppArmor + +This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces fine-grained access control policies to restrict the actions and resources that specific applications and processes can access. Adversaries may disable security tools to avoid possible detection of their tools and activities. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and ( + (process.name == "systemctl" and process.args == "disable" and process.args == "apparmor") or + (process.name == "ln" and process.args : "/etc/apparmor.d/*" and process.args : "/etc/apparmor.d/disable/") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-disabling-of-selinux.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-disabling-of-selinux.asciidoc new file mode 100644 index 0000000000..c54cc9b94e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-disabling-of-selinux.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-8-11-3-potential-disabling-of-selinux]] +=== Potential Disabling of SELinux + +Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:setenforce and process.args:0 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-dll-side-loading-via-microsoft-antimalware-service-executable.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-dll-side-loading-via-microsoft-antimalware-service-executable.asciidoc new file mode 100644 index 0000000000..2a4f80dc20 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-dll-side-loading-via-microsoft-antimalware-service-executable.asciidoc @@ -0,0 +1,80 @@ +[[prebuilt-rule-8-11-3-potential-dll-side-loading-via-microsoft-antimalware-service-executable]] +=== Potential DLL Side-Loading via Microsoft Antimalware Service Executable + +Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic +* Dennis Perto + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and +( + (process.pe.original_file_name == "MsMpEng.exe" and not process.name : "MsMpEng.exe") or + (process.name : "MsMpEng.exe" and not + process.executable : ("?:\\ProgramData\\Microsoft\\Windows Defender\\*.exe", + "?:\\Program Files\\Windows Defender\\*.exe", + "?:\\Program Files (x86)\\Windows Defender\\*.exe", + "?:\\Program Files\\Microsoft Security Client\\*.exe", + "?:\\Program Files (x86)\\Microsoft Security Client\\*.exe")) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: DLL Side-Loading +** ID: T1574.002 +** Reference URL: https://attack.mitre.org/techniques/T1574/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-dll-side-loading-via-trusted-microsoft-programs.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-dll-side-loading-via-trusted-microsoft-programs.asciidoc new file mode 100644 index 0000000000..e10a85963a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-dll-side-loading-via-trusted-microsoft-programs.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-8-11-3-potential-dll-side-loading-via-trusted-microsoft-programs]] +=== Potential DLL Side-Loading via Trusted Microsoft Programs + +Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.pe.original_file_name in ("WinWord.exe", "EXPLORER.EXE", "w3wp.exe", "DISM.EXE") and + not (process.name : ("winword.exe", "explorer.exe", "w3wp.exe", "Dism.exe") or + process.executable : ("?:\\Windows\\explorer.exe", + "?:\\Program Files\\Microsoft Office\\root\\Office*\\WINWORD.EXE", + "?:\\Program Files?(x86)\\Microsoft Office\\root\\Office*\\WINWORD.EXE", + "?:\\Windows\\System32\\Dism.exe", + "?:\\Windows\\SysWOW64\\Dism.exe", + "?:\\Windows\\System32\\inetsrv\\w3wp.exe") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: DLL Side-Loading +** ID: T1574.002 +** Reference URL: https://attack.mitre.org/techniques/T1574/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-dns-tunneling-via-nslookup.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-dns-tunneling-via-nslookup.asciidoc new file mode 100644 index 0000000000..39ede4c03e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-dns-tunneling-via-nslookup.asciidoc @@ -0,0 +1,117 @@ +[[prebuilt-rule-8-11-3-potential-dns-tunneling-via-nslookup]] +=== Potential DNS Tunneling via NsLookup + +This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential DNS Tunneling via NsLookup + +Attackers can abuse existing network rules that allow DNS communication with external resources to use the protocol as their command and control and/or exfiltration channel. + +DNS queries can be used to infiltrate data such as commands to be run, malicious files, etc., and also for exfiltration, since queries can be used to send data to the attacker-controlled DNS server. This process is commonly known as DNS tunneling. + +More information on how tunneling works and how it can be abused can be found on [Palo Alto Unit42 Research](https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors). + +#### Possible investigation steps + +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the DNS query and identify the information sent. +- Extract this communication's indicators of compromise (IoCs) and use traffic logs to search for other potentially compromised hosts. + +### False positive analysis + +- This mechanism can be used legitimately. If the parent process is trusted and the data sent is not sensitive nor command and control related, this alert can be closed. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Immediately block the identified indicators of compromise (IoCs). +- Implement any temporary network rules, procedures, and segmentation required to contain the attack. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Update firewall rules to be more restrictive. +- Reimage the host operating system or restore the compromised files to clean versions. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=5m +[process where host.os.type == "windows" and event.type == "start" and + process.name : "nslookup.exe" and process.args:("-querytype=*", "-qt=*", "-q=*", "-type=*")] with runs = 10 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ +* Sub-technique: +** Name: DNS +** ID: T1071.004 +** Reference URL: https://attack.mitre.org/techniques/T1071/004/ +* Technique: +** Name: Protocol Tunneling +** ID: T1572 +** Reference URL: https://attack.mitre.org/techniques/T1572/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-external-linux-ssh-brute-force-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-external-linux-ssh-brute-force-detected.asciidoc new file mode 100644 index 0000000000..45912f8497 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-external-linux-ssh-brute-force-detected.asciidoc @@ -0,0 +1,118 @@ +[[prebuilt-rule-8-11-3-potential-external-linux-ssh-brute-force-detected]] +=== Potential External Linux SSH Brute Force Detected + +Identifies multiple external consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts. + +*Rule type*: eql + +*Rule indices*: + +* logs-system.auth-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 5 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential External Linux SSH Brute Force Detected + +The rule identifies consecutive SSH login failures targeting a user account from the same source IP address to the same target host indicating brute force login attempts. + +This rule will generate a lot of noise for systems with a front-facing SSH service, as adversaries scan the internet for remotely accessible SSH services and try to brute force them to gain unauthorized access. + +In case this rule generates too much noise and external brute forcing is of not much interest, consider turning this rule off and enabling "Potential Internal Linux SSH Brute Force Detected" to detect internal brute force attempts. + +#### Possible investigation steps + +- Investigate the login failure user name(s). +- Investigate the source IP address of the failed ssh login attempt(s). +- Investigate other alerts associated with the user/host during the past 48 hours. +- Identify the source and the target computer and their roles in the IT environment. + +### False positive analysis + +- Authentication misconfiguration or obsolete credentials. +- Service account password expired. +- Infrastructure or availability issue. + +### Related Rules + +- Potential Internal Linux SSH Brute Force Detected - 1c27fa22-7727-4dd3-81c0-de6da5555feb +- Potential SSH Password Guessing - 8cb84371-d053-4f4f-bce0-c74990e28f28 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, source.ip, user.name with maxspan=15s + [ authentication where host.os.type == "linux" and + event.action in ("ssh_login", "user_login") and event.outcome == "failure" and + not cidrmatch(source.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", + "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", + "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", + "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", + "::1", "FE80::/10", "FF00::/8") ] with runs = 10 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ +* Sub-technique: +** Name: Password Guessing +** ID: T1110.001 +** Reference URL: https://attack.mitre.org/techniques/T1110/001/ +* Sub-technique: +** Name: Password Spraying +** ID: T1110.003 +** Reference URL: https://attack.mitre.org/techniques/T1110/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-hidden-process-via-mount-hidepid.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-hidden-process-via-mount-hidepid.asciidoc new file mode 100644 index 0000000000..7d87c95382 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-hidden-process-via-mount-hidepid.asciidoc @@ -0,0 +1,62 @@ +[[prebuilt-rule-8-11-3-potential-hidden-process-via-mount-hidepid]] +=== Potential Hidden Process via Mount Hidepid + +Identifies the execution of mount process with hidepid parameter, which can make processes invisible to other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more. With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option, which can now be monitored and detected. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and process.name == "mount" and event.action == "exec" and +process.args == "/proc" and process.args == "-o" and process.args : "*hidepid=2*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-internal-linux-ssh-brute-force-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-internal-linux-ssh-brute-force-detected.asciidoc new file mode 100644 index 0000000000..e9b9ca1026 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-internal-linux-ssh-brute-force-detected.asciidoc @@ -0,0 +1,114 @@ +[[prebuilt-rule-8-11-3-potential-internal-linux-ssh-brute-force-detected]] +=== Potential Internal Linux SSH Brute Force Detected + +Identifies multiple internal consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts. + +*Rule type*: eql + +*Rule indices*: + +* logs-system.auth-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 5 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Internal Linux SSH Brute Force Detected + +The rule identifies consecutive internal SSH login failures targeting a user account from the same source IP address to the same target host indicating brute force login attempts. + +#### Possible investigation steps + +- Investigate the login failure user name(s). +- Investigate the source IP address of the failed ssh login attempt(s). +- Investigate other alerts associated with the user/host during the past 48 hours. +- Identify the source and the target computer and their roles in the IT environment. + +### False positive analysis + +- Authentication misconfiguration or obsolete credentials. +- Service account password expired. +- Infrastructure or availability issue. + +### Related Rules + +- Potential External Linux SSH Brute Force Detected - fa210b61-b627-4e5e-86f4-17e8270656ab +- Potential SSH Password Guessing - 8cb84371-d053-4f4f-bce0-c74990e28f28 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, source.ip, user.name with maxspan=15s + [ authentication where host.os.type == "linux" and + event.action in ("ssh_login", "user_login") and event.outcome == "failure" and + cidrmatch(source.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", + "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", + "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", + "100.64.0.0/10", "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", + "::1", "FE80::/10", "FF00::/8") ] with runs = 10 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ +* Sub-technique: +** Name: Password Guessing +** ID: T1110.001 +** Reference URL: https://attack.mitre.org/techniques/T1110/001/ +* Sub-technique: +** Name: Password Spraying +** ID: T1110.003 +** Reference URL: https://attack.mitre.org/techniques/T1110/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-invoke-mimikatz-powershell-script.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-invoke-mimikatz-powershell-script.asciidoc new file mode 100644 index 0000000000..1a890aa75d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-invoke-mimikatz-powershell-script.asciidoc @@ -0,0 +1,130 @@ +[[prebuilt-rule-8-11-3-potential-invoke-mimikatz-powershell-script]] +=== Potential Invoke-Mimikatz PowerShell Script + +Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. This rule detects Invoke-Mimikatz PowerShell script and alike. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://attack.mitre.org/software/S0002/ +* https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1 +* https://www.elastic.co/security-labs/detect-credential-access + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Resources: Investigation Guide +* Data Source: PowerShell Logs + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Mimikatz PowerShell Activity + +[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to move laterally and pivot across a network. + +This rule looks for PowerShell scripts that load mimikatz in memory, like Invoke-Mimikataz, which are used to dump credentials from the Local Security Authority Subsystem Service (LSASS). Any activity triggered from this rule should be treated with high priority as it typically represents an active adversary. + +More information about Mimikatz components and how to detect/prevent them can be found on [ADSecurity](https://adsecurity.org/?page_id=1821). + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Examine file or network events from the involved PowerShell process for suspicious behavior. +- Investigate other alerts associated with the user/host during the past 48 hours. + - Invoke-Mimitakz and alike scripts heavily use other capabilities covered by other detections described in the "Related Rules" section. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host. + - Examine network and security events in the environment to identify potential lateral movement using compromised credentials. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Related rules + +- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe +- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad +- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a +- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d +- Mimikatz Memssp Log File Detected - ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6 +- Modification of WDigest Security Provider - d703a5af-d5b0-43bd-8ddb-7a5d500b7da5 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Validate that cleartext passwords are disabled in memory for use with `WDigest`. +- Look into preventing access to `LSASS` using capabilities such as LSA protection or antivirus/EDR tools that provide this capability. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and +powershell.file.script_block_text:( + (DumpCreds and + DumpCerts) or + "sekurlsa::logonpasswords" or + ("crypto::certificates" and + "CERT_SYSTEM_STORE_LOCAL_MACHINE") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-linux-backdoor-user-account-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-linux-backdoor-user-account-creation.asciidoc new file mode 100644 index 0000000000..2a96eb964b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-linux-backdoor-user-account-creation.asciidoc @@ -0,0 +1,123 @@ +[[prebuilt-rule-8-11-3-potential-linux-backdoor-user-account-creation]] +=== Potential Linux Backdoor User Account Creation + +Identifies the attempt to create a new backdoor user by setting the user's UID to 0. Attackers may alter a user's UID to 0 to establish persistence on a system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Linux Backdoor User Account Creation + +The `usermod` command is used to modify user account attributes and settings in Linux-based operating systems. + +Attackers may create new accounts with a UID of 0 to maintain root access to target systems without leveraging the root user account. + +This rule identifies the usage of the `usermod` command to set a user's UID to 0, indicating that the user becomes a root account. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible investigation steps +- Investigate the user account that got assigned a uid of 0, and analyze its corresponding attributes. + - !{osquery{"label":"Osquery - Retrieve User Accounts with a UID of 0","query":"SELECT description, gid, gid_signed, shell, uid, uid_signed, username FROM users WHERE username != 'root' AND uid LIKE '0'"}} +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific User","query":"SELECT * FROM users WHERE username = {{user.name}}"}} +- Investigate whether the user is currently logged in and active. + - !{osquery{"label":"Osquery - Investigate the Account Authentication Status","query":"SELECT * FROM logged_in_users WHERE user = {{user.name}}"}} +- Identify if the account was added to privileged groups or assigned special privileges after creation. + - !{osquery{"label":"Osquery - Retrieve Information for a Specific Group","query":"SELECT * FROM groups WHERE groupname = {{group.name}}"}} +- Investigate other alerts associated with the user/host during the past 48 hours. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Delete the created account. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and +event.action in ("exec", "exec_event") and process.name == "usermod" and +process.args : "-u" and process.args : "0" and process.args : "-o" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create Account +** ID: T1136 +** Reference URL: https://attack.mitre.org/techniques/T1136/ +* Sub-technique: +** Name: Local Account +** ID: T1136.001 +** Reference URL: https://attack.mitre.org/techniques/T1136/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-linux-credential-dumping-via-proc-filesystem.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-linux-credential-dumping-via-proc-filesystem.asciidoc new file mode 100644 index 0000000000..eaae2b640d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-linux-credential-dumping-via-proc-filesystem.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-8-11-3-potential-linux-credential-dumping-via-proc-filesystem]] +=== Potential Linux Credential Dumping via Proc Filesystem + +Identifies the execution of the mimipenguin exploit script which is linux adaptation of Windows tool mimikatz. Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits a known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/huntergregal/mimipenguin +* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781 + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.parent.name,host.name with maxspan=1m +[process where host.os.type == "linux" and process.name == "ps" and event.action == "exec" + and process.args in ("-eo", "pid", "command") ] + +[process where host.os.type == "linux" and process.name == "strings" and event.action == "exec" + and process.args : "/tmp/*" ] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: Proc Filesystem +** ID: T1003.007 +** Reference URL: https://attack.mitre.org/techniques/T1003/007/ +* Technique: +** Name: Exploitation for Credential Access +** ID: T1212 +** Reference URL: https://attack.mitre.org/techniques/T1212/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-linux-credential-dumping-via-unshadow.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-linux-credential-dumping-via-unshadow.asciidoc new file mode 100644 index 0000000000..61af3642fb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-linux-credential-dumping-via-unshadow.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-11-3-potential-linux-credential-dumping-via-unshadow]] +=== Potential Linux Credential Dumping via Unshadow + +Identifies the execution of the unshadow utility which is part of John the Ripper, a password-cracking tool on the host machine. Malicious actors can use the utility to retrieve the combined contents of the '/etc/shadow' and '/etc/password' files. Using the combined file generated from the utility, the malicious threat actors can use them as input for password-cracking utilities or prepare themselves for future operations by gathering credential information of the victim. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/ + +*Tags*: + +* Data Source: Elastic Endgame +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and process.name == "unshadow" and + event.type == "start" and event.action in ("exec", "exec_event") and process.args_count >= 2 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: /etc/passwd and /etc/shadow +** ID: T1003.008 +** Reference URL: https://attack.mitre.org/techniques/T1003/008/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-linux-hack-tool-launched.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-linux-hack-tool-launched.asciidoc new file mode 100644 index 0000000000..60a32fc3c8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-linux-hack-tool-launched.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-8-11-3-potential-linux-hack-tool-launched]] +=== Potential Linux Hack Tool Launched + +Monitors for the execution of different processes that might be used by attackers for malicious intent. An alert from this rule should be investigated further, as hack tools are commonly used by blue teamers and system administrators as well. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and +process.name in ( + // exploitation frameworks + "crackmapexec", "msfconsole", "msfvenom", "sliver-client", "sliver-server", "havoc", + // network scanners (nmap left out to reduce noise) + "zenmap", "nuclei", "netdiscover", "legion", + // web enumeration + "gobuster", "dirbuster", "dirb", "wfuzz", "ffuf", "whatweb", "eyewitness", + // web vulnerability scanning + "wpscan", "joomscan", "droopescan", "nikto", + // exploitation tools + "sqlmap", "commix", "yersinia", + // cracking and brute forcing + "john", "hashcat", "hydra", "ncrack", "cewl", "fcrackzip", "rainbowcrack", + // host and network + "linenum.sh", "linpeas.sh", "pspy32", "pspy32s", "pspy64", "pspy64s", "binwalk", "evil-winrm" +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-linux-local-account-brute-force-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-linux-local-account-brute-force-detected.asciidoc new file mode 100644 index 0000000000..f93d89adbf --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-linux-local-account-brute-force-detected.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-11-3-potential-linux-local-account-brute-force-detected]] +=== Potential Linux Local Account Brute Force Detected + +Identifies multiple consecutive login attempts executed by one process targeting a local linux user account within a short time interval. Adversaries might brute force login attempts across different users with a default wordlist or a set of customly crafted passwords in an attempt to gain access to these accounts. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.parent.executable, user.id with maxspan=1s + [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "su" and + not process.parent.name in ( + "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "clickhouse-server" + )] with runs=10 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ +* Sub-technique: +** Name: Password Guessing +** ID: T1110.001 +** Reference URL: https://attack.mitre.org/techniques/T1110/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-linux-ransomware-note-creation-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-linux-ransomware-note-creation-detected.asciidoc new file mode 100644 index 0000000000..3598491f15 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-linux-ransomware-note-creation-detected.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-11-3-potential-linux-ransomware-note-creation-detected]] +=== Potential Linux Ransomware Note Creation Detected + +This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with a file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Impact +* Data Source: Elastic Defend + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id, host.id with maxspan=1s + [file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*" + and process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*", "/srv/*", "/run/*") and + file.path : ( + "/home/*/Downloads/*", "/home/*/Documents/*", "/root/*", "/bin/*", "/usr/bin/*", + "/opt/*", "/etc/*", "/var/log/*", "/var/lib/log/*", "/var/backup/*", "/var/www/*")] with runs=25 + [file where host.os.type == "linux" and event.action == "creation" and file.name : ( + "*crypt*", "*restore*", "*lock*", "*recovery*", "*data*", "*read*", "*instruction*", "*how_to*", "*ransom*" + )] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Encrypted for Impact +** ID: T1486 +** Reference URL: https://attack.mitre.org/techniques/T1486/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-linux-tunneling-and-or-port-forwarding.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-linux-tunneling-and-or-port-forwarding.asciidoc new file mode 100644 index 0000000000..65e44d1a44 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-linux-tunneling-and-or-port-forwarding.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-8-11-3-potential-linux-tunneling-and-or-port-forwarding]] +=== Potential Linux Tunneling and/or Port Forwarding + +This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels, and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote control. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform +* https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Command and Control +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and (( + // gost & pivotnacci - spawned without process.parent.name + (process.name == "gost" and process.args : ("-L*", "-C*", "-R*")) or (process.name == "pivotnacci")) or ( + // ssh + (process.name in ("ssh", "sshd") and (process.args in ("-R", "-L", "D", "-w") and process.args_count >= 4 and + not process.args : "chmod")) or + // sshuttle + (process.name == "sshuttle" and process.args in ("-r", "--remote", "-l", "--listen") and process.args_count >= 4) or + // socat + (process.name == "socat" and process.args : ("TCP4-LISTEN:*", "SOCKS*") and process.args_count >= 3) or + // chisel + (process.name : "chisel*" and process.args in ("client", "server")) or + // iodine(d), dnscat, hans, ptunnel-ng, ssf, 3proxy & ngrok + (process.name in ("iodine", "iodined", "dnscat", "hans", "hans-ubuntu", "ptunnel-ng", "ssf", "3proxy", "ngrok")) + ) and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Protocol Tunneling +** ID: T1572 +** Reference URL: https://attack.mitre.org/techniques/T1572/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-lsass-clone-creation-via-psscapturesnapshot.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-lsass-clone-creation-via-psscapturesnapshot.asciidoc new file mode 100644 index 0000000000..18db39f378 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-lsass-clone-creation-via-psscapturesnapshot.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-8-11-3-potential-lsass-clone-creation-via-psscapturesnapshot]] +=== Potential LSASS Clone Creation via PssCaptureSnapShot + +Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/ +* https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Sysmon Only + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.code:"4688" and + process.executable : "?:\\Windows\\System32\\lsass.exe" and + process.parent.executable : "?:\\Windows\\System32\\lsass.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-lsass-memory-dump-via-psscapturesnapshot.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-lsass-memory-dump-via-psscapturesnapshot.asciidoc new file mode 100644 index 0000000000..edcd41071a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-lsass-memory-dump-via-psscapturesnapshot.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-8-11-3-potential-lsass-memory-dump-via-psscapturesnapshot]] +=== Potential LSASS Memory Dump via PssCaptureSnapShot + +Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access. + +*Rule type*: threshold + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/ +* https://twitter.com/sbousseaden/status/1280619931516747777?lang=en + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Sysmon Only + +*Version*: 207 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and event.code:10 and + winlog.event_data.TargetImage:("C:\\Windows\\system32\\lsass.exe" or + "c:\\Windows\\system32\\lsass.exe" or + "c:\\Windows\\System32\\lsass.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-malicious-file-downloaded-from-google-drive.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-malicious-file-downloaded-from-google-drive.asciidoc new file mode 100644 index 0000000000..a8c2fa22bb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-malicious-file-downloaded-from-google-drive.asciidoc @@ -0,0 +1,113 @@ +[[prebuilt-rule-8-11-3-potential-malicious-file-downloaded-from-google-drive]] +=== Potential Malicious File Downloaded from Google Drive + +Identifies potential malicious file download and execution from Google Drive. The rule checks for download activity from Google Drive URL, followed by the creation of files commonly leveraged by or for malware. This could indicate an attempt to run malicious scripts, executables or payloads. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://intelligence.abnormalsecurity.com/blog/google-drive-matanbuchus-malware + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* OS: Windows +* OS: macOS +* Use Case: Threat Detection +* Tactic: Command and Control + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan=30s +[any where + + /* Look for processes started or libraries loaded from untrusted or unsigned Windows, Linux or macOS binaries */ + (event.action in ("exec", "fork", "start", "load")) or + + /* Look for Google Drive download URL with AV flag skipping */ + (process.args : "*drive.google.com*" and process.args : "*export=download*" and process.args : "*confirm=no_antivirus*") + + /* ignore trusted processes */ + and not ( + process.code_signature.trusted == true and + process.code_signature.subject_name: + ("Mozilla Corporation", + "Google LLC", + "Google Inc", + "Bitdefender SRL", + "Microsoft Corporation", + "Netskope, Inc.", + "Avast Software s.r.o.", + "Microsoft Windows", + "AVG Technologies USA, LLC", + "Symantec Corporation", + "Trend Micro, Inc.", + "Palo Alto Networks (Netherlands) B.V.", + "Docker Inc")) + + /* ignore common benign processes */ + and not process.executable: + ("/bin/terraform", + "*/bin/dockerd", + "/usr/local/bin/docker-init", + "*/bin/go", + "?:\\Program Files*\\Mozilla Firefox\firefox.exe", + "?:\\Program Files*\\Google\\Chrome\\Application\\chrome.exe") + + /* ignore shellscripts + go install from legitimate repository*/ + and not (process.executable == "/bin/sh" and process.args : "go install google.golang.org*")] + +[network where + /* Look for DNS requests for Google Drive */ + (dns.question.name : "drive.google.com" and dns.question.type : "A") or + + /* Look for connection attempts to address that resolves to Google */ + (destination.as.organization.name : "GOOGLE" and event.action == "connection_attempted")] + +/* Identify the creation of files following Google Drive connection with extensions commonly used for executables or libraries */ +[file where event.action == "creation" and + file.extension : + ("exe", "dll", "scr", "jar", "pif", "app", "dmg", + "pkg", "elf", "so", "bin", "deb", "rpm","sh","hta","lnk")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Ingress Tool Transfer +** ID: T1105 +** Reference URL: https://attack.mitre.org/techniques/T1105/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-meterpreter-reverse-shell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-meterpreter-reverse-shell.asciidoc new file mode 100644 index 0000000000..2875e4a958 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-meterpreter-reverse-shell.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-8-11-3-potential-meterpreter-reverse-shell]] +=== Potential Meterpreter Reverse Shell + +This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged by the Metasploit Meterpreter shell to gather information about the target that it is executing its shell on. Detecting this pattern is indicative of a successful meterpreter shell connection. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-auditd_manager.auditd-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sample by host.id, process.pid, user.id +[file where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and auditd.data.syscall == "open" and + auditd.data.a2 == "1b6" and file.path == "/etc/machine-id"] +[file where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and auditd.data.syscall == "open" and + auditd.data.a2 == "1b6" and file.path == "/etc/passwd"] +[file where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and auditd.data.syscall == "open" and + auditd.data.a2 == "1b6" and file.path == "/proc/net/route"] +[file where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and auditd.data.syscall == "open" and + auditd.data.a2 == "1b6" and file.path == "/proc/net/ipv6_route"] +[file where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and auditd.data.syscall == "open" and + auditd.data.a2 == "1b6" and file.path == "/proc/net/if_inet6"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-modification-of-accessibility-binaries.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-modification-of-accessibility-binaries.asciidoc new file mode 100644 index 0000000000..1ceaf37bdf --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-modification-of-accessibility-binaries.asciidoc @@ -0,0 +1,173 @@ +[[prebuilt-rule-8-11-3-potential-modification-of-accessibility-binaries]] +=== Potential Modification of Accessibility Binaries + +Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/blog/practical-security-engineering-stateful-detection + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Modification of Accessibility Binaries + +Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. + +More details can be found [here](https://attack.mitre.org/techniques/T1546/008/). + +This rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features binaries' original file names, which is likely a custom binary deployed by the attacker. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account and system owners and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the file using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : ("Utilman.exe", "winlogon.exe") and user.name == "SYSTEM" and + process.args : + ( + "C:\\Windows\\System32\\osk.exe", + "C:\\Windows\\System32\\Magnify.exe", + "C:\\Windows\\System32\\Narrator.exe", + "C:\\Windows\\System32\\Sethc.exe", + "utilman.exe", + "ATBroker.exe", + "DisplaySwitch.exe", + "sethc.exe" + ) + and not process.pe.original_file_name in + ( + "osk.exe", + "sethc.exe", + "utilman2.exe", + "DisplaySwitch.exe", + "ATBroker.exe", + "ScreenMagnifier.exe", + "SR.exe", + "Narrator.exe", + "magnify.exe", + "MAGNIFY.EXE" + ) + +/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */ +/* and process.code_signature.subject_name == "Microsoft Windows" and process.code_signature.status == "trusted" */ + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Accessibility Features +** ID: T1546.008 +** Reference URL: https://attack.mitre.org/techniques/T1546/008/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Accessibility Features +** ID: T1546.008 +** Reference URL: https://attack.mitre.org/techniques/T1546/008/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-network-scan-executed-from-host.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-network-scan-executed-from-host.asciidoc new file mode 100644 index 0000000000..c757b916dd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-network-scan-executed-from-host.asciidoc @@ -0,0 +1,60 @@ +[[prebuilt-rule-8-11-3-potential-network-scan-executed-from-host]] +=== Potential Network Scan Executed From Host + +This threshold rule monitors for the rapid execution of unix utilities that are capable of conducting network scans. Adversaries may leverage built-in tools such as ping, netcat or socat to execute ping sweeps across the network while attempting to evade detection or due to the lack of network mapping tools available on the compromised host. + +*Rule type*: threshold + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Defend + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:linux and event.action:exec and event.type:start and +process.name:(ping or nping or hping or hping2 or hping3 or nc or ncat or netcat or socat) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Network Service Discovery +** ID: T1046 +** Reference URL: https://attack.mitre.org/techniques/T1046/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-openssh-backdoor-logging-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-openssh-backdoor-logging-activity.asciidoc new file mode 100644 index 0000000000..f10333a1a9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-openssh-backdoor-logging-activity.asciidoc @@ -0,0 +1,103 @@ +[[prebuilt-rule-8-11-3-potential-openssh-backdoor-logging-activity]] +=== Potential OpenSSH Backdoor Logging Activity + +Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file. Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to enable unauthorized access or to log SSH credentials for exfiltration. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/eset/malware-ioc/tree/master/sshdoor +* https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Credential Access +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and + ( + (file.name : (".*", "~*", "*~") and not file.name : (".cache", ".viminfo", ".bash_history", ".google_authenticator", + ".jelenv", ".csvignore", ".rtreport")) or + file.extension : ("in", "out", "ini", "h", "gz", "so", "sock", "sync", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9") or + file.path : + ( + "/private/etc/*--", + "/usr/share/*", + "/usr/include/*", + "/usr/local/include/*", + "/private/tmp/*", + "/private/var/tmp/*", + "/usr/tmp/*", + "/usr/share/man/*", + "/usr/local/share/*", + "/usr/lib/*.so.*", + "/private/etc/ssh/.sshd_auth", + "/usr/bin/ssd", + "/private/var/opt/power", + "/private/etc/ssh/ssh_known_hosts", + "/private/var/html/lol", + "/private/var/log/utmp", + "/private/var/lib", + "/var/run/sshd/sshd.pid", + "/var/run/nscd/ns.pid", + "/var/run/udev/ud.pid", + "/var/run/udevd.pid" + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Modify Authentication Process +** ID: T1556 +** Reference URL: https://attack.mitre.org/techniques/T1556/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Compromise Client Software Binary +** ID: T1554 +** Reference URL: https://attack.mitre.org/techniques/T1554/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-persistence-through-init-d-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-persistence-through-init-d-detected.asciidoc new file mode 100644 index 0000000000..b1a79469c6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-persistence-through-init-d-detected.asciidoc @@ -0,0 +1,138 @@ +[[prebuilt-rule-8-11-3-potential-persistence-through-init-d-detected]] +=== Potential Persistence Through init.d Detected + +Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the "systemd-sysv-generator" can convert init.d files to service unit files that run at boot. Adversaries may add or alter files located in the /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence on the system. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/ +* https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts +* https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Persistence Through init.d Detected + +The `/etc/init.d` directory is used in Linux systems to store the initialization scripts for various services and daemons that are executed during system startup and shutdown. + +Attackers can abuse files within the `/etc/init.d/` directory to run scripts, commands or malicious software every time a system is rebooted by converting an executable file into a service file through the `systemd-sysv-generator`. After conversion, a unit file is created within the `/run/systemd/generator.late/` directory. + +This rule looks for the creation of new files within the `/etc/init.d/` directory. Executable files in these directories will automatically run at boot with root privileges. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. +#### Possible Investigation Steps + +- Investigate the file that was created or modified. + - !{osquery{"label":"Osquery - Retrieve File Information","query":"SELECT * FROM file WHERE path = {{file.path}}"}} +- Investigate whether any other files in the `/etc/init.d/` or `/run/systemd/generator.late/` directories have been altered. + - !{osquery{"label":"Osquery - Retrieve File Listing Information","query":"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')"}} + - !{osquery{"label":"Osquery - Retrieve Additional File Listing Information","query":"SELECT\n f.path,\n u.username AS file_owner,\n g.groupname AS group_owner,\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\n datetime(f.btime, 'unixepoch') AS file_created_time,\n f.size AS size_bytes\nFROM\n file f\n LEFT JOIN users u ON f.uid = u.uid\n LEFT JOIN groups g ON f.gid = g.gid\nWHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\n"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} + +### False Positive Analysis + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator who uses init.d for administrative purposes, consider adding exceptions for this specific administrator user account. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + +### Related Rules + +- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the maliciously created service/init.d files or restore it to the original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and +file.path : /etc/init.d/* and not process.name : ("dpkg" or "dockerd" or "rpm" or "dnf" or "chef-client" or "apk" or "yum" or +"rpm" or "vmis-launcher" or "exe") and not file.extension : ("swp" or "swx") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-persistence-through-motd-file-creation-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-persistence-through-motd-file-creation-detected.asciidoc new file mode 100644 index 0000000000..30ec3fa098 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-persistence-through-motd-file-creation-detected.asciidoc @@ -0,0 +1,133 @@ +[[prebuilt-rule-8-11-3-potential-persistence-through-motd-file-creation-detected]] +=== Potential Persistence Through MOTD File Creation Detected + +Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" and "/usr/lib/update-notifier/" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the creation of potentially malicious files within the default MOTD file directories. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Persistence Through MOTD File Creation Detected + +The message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux. + +Attackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Executable files in these directories automatically run with root privileges. + +This rule identifies the creation of new files within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible Investigation Steps + +- Investigate the file that was created or modified. + - !{osquery{"label":"Osquery - Retrieve File Information","query":"SELECT * FROM file WHERE path = {{file.path}}"}} +- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered. + - !{osquery{"label":"Osquery - Retrieve File Listing Information","query":"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')"}} + - !{osquery{"label":"Osquery - Retrieve Additional File Listing Information","query":"SELECT\n f.path,\n u.username AS file_owner,\n g.groupname AS group_owner,\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\n datetime(f.btime, 'unixepoch') AS file_created_time,\n f.size AS size_bytes\nFROM\n file f\n LEFT JOIN users u ON f.uid = u.uid\n LEFT JOIN groups g ON f.gid = g.gid\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\n"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} + +### Related Rules + +- Suspicious Process Spawned from MOTD Detected - 4ec47004-b34a-42e6-8003-376a123ea447 + +### False positive analysis + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the MOTD files or restore their original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and +file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not process.name : ( + dpkg or dockerd or rpm or executor or dnf +) and not file.extension : ("swp" or "swpx") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-persistence-through-run-control-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-persistence-through-run-control-detected.asciidoc new file mode 100644 index 0000000000..5dc73924f9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-persistence-through-run-control-detected.asciidoc @@ -0,0 +1,141 @@ +[[prebuilt-rule-8-11-3-potential-persistence-through-run-control-detected]] +=== Potential Persistence Through Run Control Detected + +This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable through the use of the new terms rule type. The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the "systemd-rc-local-generator", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the system. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/ +* https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts +* https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Persistence Through Run Control Detected + +The `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution. + +There might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital. + +Detection alerts from this rule indicate the creation of a new `/etc/rc.local` file. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible Investigation Steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate the file that was created or modified. + - !{osquery{"label":"Osquery - Retrieve File Information","query":"SELECT * FROM file WHERE path = {{file.path}}"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`. + - !{osquery{"label":"Osquery - Retrieve rc-local.service File Information","query":"SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path = '/run/systemd/generator/multi-user.target.wants/rc-local.service')"}} + - In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file. + - If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep "rc-local.service|/etc/rc.local Compatibility"` can be executed to check for the execution of the service. + - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} + +### False Positive Analysis + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + +### Response and remediation +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the `service/rc.local` files or restore their original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type : "linux" and event.category : "file" and +event.type : ("change" or "file_modify_event" or "creation" or "file_create_event") and +file.path : "/etc/rc.local" and not process.name : ( + "dockerd" or "docker" or "dnf" or "dnf-automatic" or "yum" or "rpm" or "dpkg" +) and not file.extension : ("swp" or "swpx") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ +* Sub-technique: +** Name: RC Scripts +** ID: T1037.004 +** Reference URL: https://attack.mitre.org/techniques/T1037/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-powershell-hacktool-script-by-function-names.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-powershell-hacktool-script-by-function-names.asciidoc new file mode 100644 index 0000000000..8960c9b5d4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-powershell-hacktool-script-by-function-names.asciidoc @@ -0,0 +1,248 @@ +[[prebuilt-rule-8-11-3-potential-powershell-hacktool-script-by-function-names]] +=== Potential PowerShell HackTool Script by Function Names + +Detects known PowerShell offensive tooling functions names in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code. This rule aim is to take advantage of that. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md +* https://github.com/BC-SECURITY/Empire + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: PowerShell Logs + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and + powershell.file.script_block_text : ( + "Add-DomainGroupMember" or "Add-DomainObjectAcl" or + "Add-RemoteConnection" or "Add-ServiceDacl" or + "Add-Win32Type" or "Convert-ADName" or + "Convert-LDAPProperty" or "ConvertFrom-LDAPLogonHours" or + "ConvertFrom-UACValue" or "Copy-ArrayOfMemAddresses" or + "Create-NamedPipe" or "Create-ProcessWithToken" or + "Create-RemoteThread" or "Create-SuspendedWinLogon" or + "Create-WinLogonProcess" or "Emit-CallThreadStub" or + "Enable-SeAssignPrimaryTokenPrivilege" or "Enable-SeDebugPrivilege" or + "Enum-AllTokens" or "Export-PowerViewCSV" or + "Find-AVSignature" or "Find-AppLockerLog" or + "Find-DomainLocalGroupMember" or "Find-DomainObjectPropertyOutlier" or + "Find-DomainProcess" or "Find-DomainShare" or + "Find-DomainUserEvent" or "Find-DomainUserLocation" or + "Find-InterestingDomainAcl" or "Find-InterestingDomainShareFile" or + "Find-InterestingFile" or "Find-LocalAdminAccess" or + "Find-PSScriptsInPSAppLog" or "Find-PathDLLHijack" or + "Find-ProcessDLLHijack" or "Find-RDPClientConnection" or + "Get-AllAttributesForClass" or "Get-CachedGPPPassword" or + "Get-DecryptedCpassword" or "Get-DecryptedSitelistPassword" or + "Get-DelegateType" or + "Get-DomainDFSShare" or "Get-DomainDFSShareV1" or + "Get-DomainDFSShareV2" or "Get-DomainDNSRecord" or + "Get-DomainDNSZone" or "Get-DomainFileServer" or + "Get-DomainForeignGroupMember" or "Get-DomainForeignUser" or + "Get-DomainGPO" or "Get-DomainGPOComputerLocalGroupMapping" or + "Get-DomainGPOLocalGroup" or "Get-DomainGPOUserLocalGroupMapping" or + "Get-DomainGUIDMap" or "Get-DomainGroup" or + "Get-DomainGroupMember" or "Get-DomainGroupMemberDeleted" or + "Get-DomainManagedSecurityGroup" or "Get-DomainOU" or + "Get-DomainObject" or "Get-DomainObjectAcl" or + "Get-DomainObjectAttributeHistory" or "Get-DomainObjectLinkedAttributeHistory" or + "Get-DomainPolicyData" or "Get-DomainSID" or + "Get-DomainSPNTicket" or "Get-DomainSearcher" or + "Get-DomainSite" or "Get-DomainSubnet" or + "Get-DomainTrust" or "Get-DomainTrustMapping" or + "Get-DomainUser" or "Get-DomainUserEvent" or + "Get-Forest" or "Get-ForestDomain" or + "Get-ForestGlobalCatalog" or "Get-ForestSchemaClass" or + "Get-ForestTrust" or "Get-GPODelegation" or + "Get-GPPAutologon" or "Get-GPPInnerField" or + "Get-GPPInnerFields" or "Get-GPPPassword" or + "Get-GptTmpl" or "Get-GroupsXML" or + "Get-HttpStatus" or "Get-ImageNtHeaders" or + "Get-Keystrokes" or + "Get-MemoryProcAddress" or "Get-MicrophoneAudio" or + "Get-ModifiablePath" or "Get-ModifiableRegistryAutoRun" or + "Get-ModifiableScheduledTaskFile" or "Get-ModifiableService" or + "Get-ModifiableServiceFile" or "Get-Name" or + "Get-NetComputerSiteName" or "Get-NetLocalGroup" or + "Get-NetLocalGroupMember" or "Get-NetLoggedon" or + "Get-NetRDPSession" or "Get-NetSession" or + "Get-NetShare" or "Get-PEArchitecture" or + "Get-PEBasicInfo" or "Get-PEDetailedInfo" or + "Get-PathAcl" or "Get-PrimaryToken" or + "Get-ProcAddress" or "Get-ProcessTokenGroup" or + "Get-ProcessTokenPrivilege" or "Get-ProcessTokenType" or + "Get-RegLoggedOn" or "Get-RegistryAlwaysInstallElevated" or + "Get-RegistryAutoLogon" or "Get-RemoteProcAddress" or + "Get-Screenshot" or "Get-ServiceDetail" or + "Get-SiteListPassword" or "Get-SitelistField" or + "Get-System" or "Get-SystemNamedPipe" or + "Get-SystemToken" or "Get-ThreadToken" or + "Get-TimedScreenshot" or "Get-TokenInformation" or + "Get-TopPort" or "Get-UnattendedInstallFile" or + "Get-UniqueTokens" or "Get-UnquotedService" or + "Get-VaultCredential" or "Get-VaultElementValue" or + "Get-VirtualProtectValue" or "Get-VolumeShadowCopy" or + "Get-WMIProcess" or "Get-WMIRegCachedRDPConnection" or + "Get-WMIRegLastLoggedOn" or "Get-WMIRegMountedDrive" or + "Get-WMIRegProxy" or "Get-WebConfig" or + "Get-Win32Constants" or "Get-Win32Functions" or + "Get-Win32Types" or "Import-DllImports" or + "Import-DllInRemoteProcess" or "Inject-LocalShellcode" or + "Inject-RemoteShellcode" or "Install-ServiceBinary" or + "Invoke-CompareAttributesForClass" or "Invoke-CreateRemoteThread" or + "Invoke-CredentialInjection" or "Invoke-DllInjection" or + "Invoke-EventVwrBypass" or "Invoke-ImpersonateUser" or + "Invoke-Kerberoast" or "Invoke-MemoryFreeLibrary" or + "Invoke-MemoryLoadLibrary" or "Invoke-Method" or + "Invoke-Mimikatz" or "Invoke-NinjaCopy" or + "Invoke-PatchDll" or "Invoke-Portscan" or + "Invoke-PrivescAudit" or "Invoke-ReflectivePEInjection" or + "Invoke-ReverseDnsLookup" or "Invoke-RevertToSelf" or + "Invoke-ServiceAbuse" or "Invoke-Shellcode" or + "Invoke-TokenManipulation" or "Invoke-UserImpersonation" or + "Invoke-WmiCommand" or "Mount-VolumeShadowCopy" or + "New-ADObjectAccessControlEntry" or "New-DomainGroup" or + "New-DomainUser" or "New-DynamicParameter" or + "New-InMemoryModule" or + "New-ThreadedFunction" or "New-VolumeShadowCopy" or + "Out-CompressedDll" or "Out-EncodedCommand" or + "Out-EncryptedScript" or "Out-Minidump" or + "PortScan-Alive" or "Portscan-Port" or + "Remove-DomainGroupMember" or "Remove-DomainObjectAcl" or + "Remove-RemoteConnection" or "Remove-VolumeShadowCopy" or + "Restore-ServiceBinary" or "Set-DesktopACLToAllowEveryone" or + "Set-DesktopACLs" or "Set-DomainObject" or + "Set-DomainObjectOwner" or "Set-DomainUserPassword" or + "Set-ServiceBinaryPath" or "Sub-SignedIntAsUnsigned" or + "Test-AdminAccess" or "Test-MemoryRangeValid" or + "Test-ServiceDaclPermission" or "Update-ExeFunctions" or + "Update-MemoryAddresses" or "Update-MemoryProtectionFlags" or + "Write-BytesToMemory" or "Write-HijackDll" or + "Write-PortscanOut" or "Write-ServiceBinary" or + "Write-UserAddMSI" or "Invoke-Privesc" or + "func_get_proc_address" or "Invoke-BloodHound" or + "Invoke-HostEnum" or "Get-BrowserInformation" or + "Get-DomainAccountPolicy" or "Get-DomainAdmins" or + "Get-AVProcesses" or "Get-AVInfo" or + "Get-RecycleBin" or "Invoke-BruteForce" or + "Get-PassHints" or "Invoke-SessionGopher" or + "Get-LSASecret" or "Get-PassHashes" or + "Invoke-WdigestDowngrade" or "Get-ChromeDump" or + "Invoke-DomainPasswordSpray" or "Get-FoxDump" or + "New-HoneyHash" or "Invoke-DCSync" or + "Invoke-PowerDump" or "Invoke-SSIDExfil" or + "Invoke-PowerShellTCP" or "Add-Exfiltration" or + "Do-Exfiltration" or "Invoke-DropboxUpload" or + "Invoke-ExfilDataToGitHub" or "Invoke-EgressCheck" or + "Invoke-PostExfil" or "Create-MultipleSessions" or + "Invoke-NetworkRelay" or "New-GPOImmediateTask" or + "Invoke-WMIDebugger" or "Invoke-SQLOSCMD" or + "Invoke-SMBExec" or "Invoke-PSRemoting" or + "Invoke-ExecuteMSBuild" or "Invoke-DCOM" or + "Invoke-InveighRelay" or "Invoke-PsExec" or + "Invoke-SSHCommand" or "Find-ActiveUsersWMI" or + "Get-SystemDrivesWMI" or "Get-ActiveNICSWMI" or + "Remove-Persistence" or "DNS_TXT_Pwnage" or + "Execute-OnTime" or "HTTP-Backdoor" or + "Add-ConstrainedDelegationBackdoor" or "Add-RegBackdoor" or + "Add-ScrnSaveBackdoor" or "Gupt-Backdoor" or + "Invoke-ADSBackdoor" or "Add-Persistence" or + "Invoke-ResolverBackdoor" or "Invoke-EventLogBackdoor" or + "Invoke-DeadUserBackdoor" or "Invoke-DisableMachineAcctChange" or + "Invoke-AccessBinary" or "Add-NetUser" or + "Invoke-Schtasks" or "Invoke-JSRatRegsvr" or + "Invoke-JSRatRundll" or "Invoke-PoshRatHttps" or + "Invoke-PsGcatAgent" or "Remove-PoshRat" or + "Install-SSP" or "Invoke-BackdoorLNK" or + "PowerBreach" or "InstallEXE-Persistence" or + "RemoveEXE-Persistence" or "Install-ServiceLevel-Persistence" or + "Remove-ServiceLevel-Persistence" or "Invoke-Prompt" or + "Invoke-PacketCapture" or "Start-WebcamRecorder" or + "Get-USBKeyStrokes" or "Invoke-KeeThief" or + "Get-Keystrokes" or "Invoke-NetRipper" or + "Get-EmailItems" or "Invoke-MailSearch" or + "Invoke-SearchGAL" or "Get-WebCredentials" or + "Start-CaptureServer" or "Invoke-PowerShellIcmp" or + "Invoke-PowerShellTcpOneLine" or "Invoke-PowerShellTcpOneLineBind" or + "Invoke-PowerShellUdp" or "Invoke-PowerShellUdpOneLine" or + "Run-EXEonRemote" or "Download-Execute-PS" or + "Out-RundllCommand" or "Set-RemoteWMI" or + "Set-DCShadowPermissions" or "Invoke-PowerShellWMI" or + "Invoke-Vnc" or "Invoke-LockWorkStation" or + "Invoke-EternalBlue" or "Invoke-ShellcodeMSIL" or + "Invoke-MetasploitPayload" or "Invoke-DowngradeAccount" or + "Invoke-RunAs" or "ExetoText" or + "Disable-SecuritySettings" or "Set-MacAttribute" or + "Invoke-MS16032" or "Invoke-BypassUACTokenManipulation" or + "Invoke-SDCLTBypass" or "Invoke-FodHelperBypass" or + "Invoke-EventVwrBypass" or "Invoke-EnvBypass" or + "Get-ServiceUnquoted" or "Get-ServiceFilePermission" or + "Get-ServicePermission" or "Get-ServicePermission" or + "Enable-DuplicateToken" or "Invoke-PsUaCme" or + "Invoke-Tater" or "Invoke-WScriptBypassUAC" or + "Invoke-AllChecks" or "Find-TrustedDocuments" or + "Invoke-Interceptor" or "Invoke-PoshRatHttp" or + "Invoke-ExecCommandWMI" or "Invoke-KillProcessWMI" or + "Invoke-CreateShareandExecute" or "Invoke-RemoteScriptWithOutput" or + "Invoke-SchedJobManipulation" or "Invoke-ServiceManipulation" or + "Invoke-PowerOptionsWMI" or "Invoke-DirectoryListing" or + "Invoke-FileTransferOverWMI" or "Invoke-WMImplant" or + "Invoke-WMIObfuscatedPSCommand" or "Invoke-WMIDuplicateClass" or + "Invoke-WMIUpload" or "Invoke-WMIRemoteExtract" or "Invoke-winPEAS" + ) and + not powershell.file.script_block_text : ( + "sentinelbreakpoints" and "Set-PSBreakpoint" + ) and + not user.id : ("S-1-5-18" or "S-1-5-19") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privacy-control-bypass-via-localhost-secure-copy.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privacy-control-bypass-via-localhost-secure-copy.asciidoc new file mode 100644 index 0000000000..2ea0bddbeb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privacy-control-bypass-via-localhost-secure-copy.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-8-11-3-potential-privacy-control-bypass-via-localhost-secure-copy]] +=== Potential Privacy Control Bypass via Localhost Secure Copy + +Identifies use of the Secure Copy Protocol (SCP) to copy files locally by abusing the auto addition of the Secure Shell Daemon (sshd) to the authorized application list for Full Disk Access. This may indicate attempts to bypass macOS privacy controls to access sensitive files. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.trendmicro.com/en_us/research/20/h/xcsset-mac-malware--infects-xcode-projects--uses-0-days.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and + process.name:"scp" and + process.args:"StrictHostKeyChecking=no" and + process.command_line:("scp *localhost:/*", "scp *127.0.0.1:/*") and + not process.args:"vagrant@*127.0.0.1*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privacy-control-bypass-via-tccdb-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privacy-control-bypass-via-tccdb-modification.asciidoc new file mode 100644 index 0000000000..d66cde2193 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privacy-control-bypass-via-tccdb-modification.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-8-11-3-potential-privacy-control-bypass-via-tccdb-modification]] +=== Potential Privacy Control Bypass via TCCDB Modification + +Identifies the use of sqlite3 to directly modify the Transparency, Consent, and Control (TCC) SQLite database. This may indicate an attempt to bypass macOS privacy controls, including access to sensitive resources like the system camera, microphone, address book, and calendar. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/ +* https://github.com/bp88/JSS-Scripts/blob/master/TCC.db%20Modifier.sh +* https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8 + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "sqlite*" and + process.args : "/*/Application Support/com.apple.TCC/TCC.db" and + not process.parent.executable : "/Library/Bitdefender/AVP/product/bin/*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-through-writable-docker-socket.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-through-writable-docker-socket.asciidoc new file mode 100644 index 0000000000..4a1a54d872 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-through-writable-docker-socket.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-11-3-potential-privilege-escalation-through-writable-docker-socket]] +=== Potential Privilege Escalation through Writable Docker Socket + +This rule monitors for the usage of Docker runtime sockets to escalate privileges on Linux systems. Docker sockets by default are only be writable by the root user and docker group. Attackers that have permissions to write to these sockets may be able to create and run a container that allows them to escalate privileges and gain further access onto the host file system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#automatic-enumeration-and-escape + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Domain: Container +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +( + (process.name == "docker" and process.args : "run" and process.args : "-it" and + process.args : ("unix://*/docker.sock", "unix://*/dockershim.sock")) or + (process.name == "socat" and process.args : ("UNIX-CONNECT:*/docker.sock", "UNIX-CONNECT:*/dockershim.sock")) +) and not user.Ext.real.id : "0" and not group.Ext.real.id : "0" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Escape to Host +** ID: T1611 +** Reference URL: https://attack.mitre.org/techniques/T1611/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-via-container-misconfiguration.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-via-container-misconfiguration.asciidoc new file mode 100644 index 0000000000..7959de6be0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-via-container-misconfiguration.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-11-3-potential-privilege-escalation-via-container-misconfiguration]] +=== Potential Privilege Escalation via Container Misconfiguration + +This rule monitors for the execution of processes that interact with Linux containers through an interactive shell without root permissions. Utilities such as runc and ctr are universal command-line utilities leveraged to interact with containers via root permissions. On systems where the access to these utilities are misconfigured, attackers might be able to create and run a container that mounts the root folder or spawn a privileged container vulnerable to a container escape attack, which might allow them to escalate privileges and gain further access onto the host file system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation +* https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Domain: Container +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and ( + (process.name == "runc" and process.args == "run") or + (process.name == "ctr" and process.args == "run" and process.args in ("--privileged", "--mount")) +) and not user.Ext.real.id == "0" and not group.Ext.real.id == "0" and +process.interactive == true and process.parent.interactive == true + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Escape to Host +** ID: T1611 +** Reference URL: https://attack.mitre.org/techniques/T1611/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-via-cve-2023-4911.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-via-cve-2023-4911.asciidoc new file mode 100644 index 0000000000..754bca92a2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-via-cve-2023-4911.asciidoc @@ -0,0 +1,64 @@ +[[prebuilt-rule-8-11-3-potential-privilege-escalation-via-cve-2023-4911]] +=== Potential Privilege Escalation via CVE-2023-4911 + +This rule detects potential privilege escalation attempts through Looney Tunables (CVE-2023-4911). Looney Tunables is a buffer overflow vulnerability in GNU C Library's dynamic loader's processing of the GLIBC_TUNABLES environment variable. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.parent.entity_id, process.executable with maxspan=5s + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.env_vars : "*GLIBC_TUNABLES=glibc.*=glibc.*=*"] with runs=5 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-via-installerfiletakeover.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-via-installerfiletakeover.asciidoc new file mode 100644 index 0000000000..c0e519c2a0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-via-installerfiletakeover.asciidoc @@ -0,0 +1,142 @@ +[[prebuilt-rule-8-11-3-potential-privilege-escalation-via-installerfiletakeover]] +=== Potential Privilege Escalation via InstallerFileTakeOver + +Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) default PoC execution. Successful exploitation allows an unprivileged user to escalate privileges to SYSTEM. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/klinix5/InstallerFileTakeOver + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Resources: Investigation Guide +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Privilege Escalation via InstallerFileTakeOver + +InstallerFileTakeOver is a weaponized escalation of privilege proof of concept (EoP PoC) to the CVE-2021-41379 vulnerability. Upon successful exploitation, an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY. + +This rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Look for additional processes spawned by the process, command lines, and network communications. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the file using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- Verify whether a digital signature exists in the executable, and if it is valid. + +### Related rules + +- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.Ext.token.integrity_level_name : "System" and + ( + (process.name : "elevation_service.exe" and + not process.pe.original_file_name == "elevation_service.exe") or + + (process.name : "elevation_service.exe" and + not process.code_signature.trusted == true) or + + (process.parent.name : "elevation_service.exe" and + process.name : ("rundll32.exe", "cmd.exe", "powershell.exe")) + ) and + not + ( + process.name : "elevation_service.exe" and process.code_signature.trusted == true and + process.pe.original_file_name == null + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-via-overlayfs.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-via-overlayfs.asciidoc new file mode 100644 index 0000000000..dfc4ab2893 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-via-overlayfs.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-11-3-potential-privilege-escalation-via-overlayfs]] +=== Potential Privilege Escalation via OverlayFS + +Identifies an attempt to exploit a local privilege escalation (CVE-2023-2640 and CVE-2023-32629) via a flaw in Ubuntu's modifications to OverlayFS. These flaws allow the creation of specialized executables, which, upon execution, grant the ability to escalate privileges to root on the affected machine. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability +* https://twitter.com/liadeliyahu/status/1684841527959273472 + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.parent.entity_id, host.id with maxspan=5s + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.name == "unshare" and process.args : ("-r", "-rm", "m") and process.args : "*cap_setuid*" and user.id != "0"] + [process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and + user.id == "0"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-via-pkexec.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-via-pkexec.asciidoc new file mode 100644 index 0000000000..92847ae958 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-via-pkexec.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-8-11-3-potential-privilege-escalation-via-pkexec]] +=== Potential Privilege Escalation via PKEXEC + +Identifies an attempt to exploit a local privilege escalation in polkit pkexec (CVE-2021-4034) via unsecure environment variable injection. Successful exploitation allows an unprivileged user to escalate to the root user. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://seclists.org/oss-sec/2022/q1/80 +* https://haxx.in/files/blasty-vs-pkexec.c + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Endgame +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and file.path : "/*GCONV_PATH*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Path Interception by PATH Environment Variable +** ID: T1574.007 +** Reference URL: https://attack.mitre.org/techniques/T1574/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-via-python-cap-setuid.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-via-python-cap-setuid.asciidoc new file mode 100644 index 0000000000..b3bda06bc2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-via-python-cap-setuid.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-8-11-3-potential-privilege-escalation-via-python-cap-setuid]] +=== Potential Privilege Escalation via Python cap_setuid + +This detection rule monitors for the execution of a system command with setuid or setgid capabilities via Python, followed by a uid or gid change to the root user. This sequence of events may indicate successful privilege escalation. Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group. Threat actors can exploit these attributes to escalate privileges to the privileges that are set on the binary that is being executed. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan=1s + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.args : "import os;os.set?id(0);os.system(*)" and process.args : "*python*" and user.id != "0"] + [process where host.os.type == "linux" and event.action in ("uid_change", "gid_change") and event.type == "change" and + (user.id == "0" or group.id == "0")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Setuid and Setgid +** ID: T1548.001 +** Reference URL: https://attack.mitre.org/techniques/T1548/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-via-recently-compiled-executable.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-via-recently-compiled-executable.asciidoc new file mode 100644 index 0000000000..4e71579555 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-via-recently-compiled-executable.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-11-3-potential-privilege-escalation-via-recently-compiled-executable]] +=== Potential Privilege Escalation via Recently Compiled Executable + +This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent alteration of UID permissions to root privileges. This behavior can potentially indicate the execution of a kernel or software privilege escalation exploit. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=1m + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.name in ("gcc", "g++", "cc") and user.id != "0"] by process.args + [file where host.os.type == "linux" and event.action == "creation" and event.type == "creation" and + process.name == "ld" and user.id != "0"] by file.name + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + user.id != "0"] by process.name + [process where host.os.type == "linux" and event.action in ("uid_change", "guid_change") and event.type == "change" and + user.id == "0"] by process.name + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-via-uid-int-max-bug-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-via-uid-int-max-bug-detected.asciidoc new file mode 100644 index 0000000000..778d6ac3ff --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privilege-escalation-via-uid-int-max-bug-detected.asciidoc @@ -0,0 +1,64 @@ +[[prebuilt-rule-8-11-3-potential-privilege-escalation-via-uid-int-max-bug-detected]] +=== Potential Privilege Escalation via UID INT_MAX Bug Detected + +This rule monitors for the execution of the systemd-run command by a user with a UID that is larger than the maximum allowed UID size (INT_MAX). Some older Linux versions were affected by a bug which allows user accounts with a UID greater than INT_MAX to escalate privileges by spawning a shell through systemd-run. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://twitter.com/paragonsec/status/1071152249529884674 +* https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2018-19788.sh +* https://gitlab.freedesktop.org/polkit/polkit/-/issues/74 + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process.name == "systemd-run" and process.args == "-t" and process.args_count >= 3 and user.id >= "1000000000" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privileged-escalation-via-samaccountname-spoofing.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privileged-escalation-via-samaccountname-spoofing.asciidoc new file mode 100644 index 0000000000..6df51a4bb9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-privileged-escalation-via-samaccountname-spoofing.asciidoc @@ -0,0 +1,88 @@ +[[prebuilt-rule-8-11-3-potential-privileged-escalation-via-samaccountname-spoofing]] +=== Potential Privileged Escalation via SamAccountName Spoofing + +Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e +* https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/ +* https://github.com/cube0x0/noPac +* https://twitter.com/exploitph/status/1469157138928914432 +* https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Privilege Escalation +* Use Case: Active Directory Monitoring +* Data Source: Active Directory +* Use Case: Vulnerability + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +iam where event.action == "renamed-user-account" and + /* machine account name renamed to user like account name */ + winlog.event_data.OldTargetUserName : "*$" and not winlog.event_data.NewTargetUserName : "*$" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Domain Accounts +** ID: T1078.002 +** Reference URL: https://attack.mitre.org/techniques/T1078/002/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-process-injection-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-process-injection-via-powershell.asciidoc new file mode 100644 index 0000000000..1d8ad49393 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-process-injection-via-powershell.asciidoc @@ -0,0 +1,145 @@ +[[prebuilt-rule-8-11-3-potential-process-injection-via-powershell]] +=== Potential Process Injection via PowerShell + +Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1 +* https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1 +* https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1 +* https://www.elastic.co/security-labs/detect-credential-access + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: PowerShell Logs + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Process Injection via PowerShell + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +PowerShell also has solid capabilities to make the interaction with the Win32 API in an uncomplicated and reliable way, like the execution of inline C# code, PSReflect, Get-ProcAddress, etc. + +Red Team tooling and malware developers take advantage of these capabilities to develop stagers and loaders that inject payloads directly into the memory without touching the disk to circumvent file-based security protections. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Examine file or network events from the involved PowerShell process for suspicious behavior. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Check if the imported function was executed and which process it targeted. +- Check if the injected code can be retrieved (hardcoded in the script or on command line logs). + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Related rules + +- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and + powershell.file.script_block_text : ( + (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or + LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and + (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or + SuspendThread or ResumeThread or GetDelegateForFunctionPointer) + ) and not + (user.id:("S-1-5-18" or "S-1-5-19") and + file.directory: "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\SenseCM") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Sub-technique: +** Name: Dynamic-link Library Injection +** ID: T1055.001 +** Reference URL: https://attack.mitre.org/techniques/T1055/001/ +* Sub-technique: +** Name: Portable Executable Injection +** ID: T1055.002 +** Reference URL: https://attack.mitre.org/techniques/T1055/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-protocol-tunneling-via-chisel-client.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-protocol-tunneling-via-chisel-client.asciidoc new file mode 100644 index 0000000000..3954ce2d8c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-protocol-tunneling-via-chisel-client.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-8-11-3-potential-protocol-tunneling-via-chisel-client]] +=== Potential Protocol Tunneling via Chisel Client + +This rule monitors for common command line flags leveraged by the Chisel client utility followed by a connection attempt. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform +* https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Command and Control +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan=1s + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.args == "client" and process.args : ("R*", "*:*", "*socks*", "*.*") and process.args_count >= 4 and + process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] + [network where host.os.type == "linux" and event.action == "connection_attempted" and event.type == "start" and + destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" and + not process.name : ( + "python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "java", "telnet", + "ftp", "socat", "curl", "wget", "dpkg", "docker", "dockerd", "yum", "apt", "rpm", "dnf", "ssh", "sshd")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Protocol Tunneling +** ID: T1572 +** Reference URL: https://attack.mitre.org/techniques/T1572/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-protocol-tunneling-via-chisel-server.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-protocol-tunneling-via-chisel-server.asciidoc new file mode 100644 index 0000000000..c20af6a09c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-protocol-tunneling-via-chisel-server.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-8-11-3-potential-protocol-tunneling-via-chisel-server]] +=== Potential Protocol Tunneling via Chisel Server + +This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received connection within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform +* https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Command and Control +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan=1m + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.args == "server" and process.args in ("--port", "-p", "--reverse", "--backend", "--socks5") and + process.args_count >= 3 and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] + [network where host.os.type == "linux" and event.action == "connection_accepted" and event.type == "start" and + destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" and + not process.name : ( + "python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "java", "telnet", + "ftp", "socat", "curl", "wget", "dpkg", "docker", "dockerd", "yum", "apt", "rpm", "dnf", "ssh", "sshd", "hugo")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Protocol Tunneling +** ID: T1572 +** Reference URL: https://attack.mitre.org/techniques/T1572/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-protocol-tunneling-via-earthworm.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-protocol-tunneling-via-earthworm.asciidoc new file mode 100644 index 0000000000..2ec5182d59 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-protocol-tunneling-via-earthworm.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-8-11-3-potential-protocol-tunneling-via-earthworm]] +=== Potential Protocol Tunneling via EarthWorm + +Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* http://rootkiter.com/EarthWorm/ +* https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Command and Control +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and + process.args : "-s" and process.args : "-d" and process.args : "rssocks" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Protocol Tunneling +** ID: T1572 +** Reference URL: https://attack.mitre.org/techniques/T1572/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-pspy-process-monitoring-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-pspy-process-monitoring-detected.asciidoc new file mode 100644 index 0000000000..732967a30d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-pspy-process-monitoring-detected.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-11-3-potential-pspy-process-monitoring-detected]] +=== Potential Pspy Process Monitoring Detected + +This rule leverages auditd to monitor for processes scanning different processes within the /proc directory using the openat syscall. This is a strong indication for the usage of the pspy utility. Attackers may leverage the pspy process monitoring utility to monitor system processes without requiring root permissions, in order to find potential privilege escalation vectors. + +*Rule type*: eql + +*Rule indices*: + +* logs-auditd_manager.auditd-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/DominicBreuker/pspy + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.pid, host.id with maxspan=5s +[ file where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and + auditd.data.syscall == "openat" and file.path == "/proc" and auditd.data.a0 : ("ffffffffffffff9c", "ffffff9c") and + auditd.data.a2 : ("80000", "88000") ] with runs=10 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Process Discovery +** ID: T1057 +** Reference URL: https://attack.mitre.org/techniques/T1057/ +* Technique: +** Name: System Information Discovery +** ID: T1082 +** Reference URL: https://attack.mitre.org/techniques/T1082/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-remote-code-execution-via-web-server.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-remote-code-execution-via-web-server.asciidoc new file mode 100644 index 0000000000..c3f6e1fc1d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-remote-code-execution-via-web-server.asciidoc @@ -0,0 +1,154 @@ +[[prebuilt-rule-8-11-3-potential-remote-code-execution-via-web-server]] +=== Potential Remote Code Execution via Web Server + +Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. Attackers may exploit a vulnerability in a web application to execute commands via a web server, or place a backdoor file that can be abused to gain code execution as a mechanism for persistence. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://pentestlab.blog/tag/web-shell/ +* https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965 + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Initial Access +* Data Source: Elastic Endgame +* Use Case: Vulnerability +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Remote Code Execution via Web Server + +Adversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a malicious script, often embedded into a compromised web server, that grants an attacker remote access and control over the server. This enables the execution of arbitrary commands, data exfiltration, and further exploitation of the target network. + +This rule detects a web server process spawning script and command line interface programs, potentially indicating attackers executing commands using the web shell. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible investigation steps + +- Investigate abnormal behaviors by the subject process such as network connections, file modifications, and any other spawned child processes. + - Investigate listening ports and open sockets to look for potential reverse shells or data exfiltration. + - !{osquery{"label":"Osquery - Retrieve Listening Ports","query":"SELECT pid, address, port, socket, protocol, path FROM listening_ports"}} + - !{osquery{"label":"Osquery - Retrieve Open Sockets","query":"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets"}} + - Investigate the process information for malicious or uncommon processes/process trees. + - !{osquery{"label":"Osquery - Retrieve Process Info","query":"SELECT name, cmdline, parent, path, uid FROM processes"}} + - Investigate the process tree spawned from the user that is used to run the web application service. A user that is running a web application should not spawn other child processes. + - !{osquery{"label":"Osquery - Retrieve Process Info for Webapp User","query":"SELECT name, cmdline, parent, path, uid FROM processes WHERE uid = {{process.user.id}}"}} +- Examine the command line to determine which commands or scripts were executed. +- Investigate other alerts associated with the user/host during the past 48 hours. +- If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} + +### False positive analysis + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and +event.action in ("exec", "exec_event") and process.parent.executable : ( + "/usr/sbin/nginx", "/usr/local/sbin/nginx", + "/usr/sbin/apache", "/usr/local/sbin/apache", + "/usr/sbin/apache2", "/usr/local/sbin/apache2", + "/usr/sbin/php*", "/usr/local/sbin/php*", + "/usr/sbin/lighttpd", "/usr/local/sbin/lighttpd", + "/usr/sbin/hiawatha", "/usr/local/sbin/hiawatha", + "/usr/local/bin/caddy", + "/usr/local/lsws/bin/lswsctrl", + "*/bin/catalina.sh" +) and +process.name : ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "perl", "php*", "tmux") and +process.args : ("whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget", "pwd") and +not process.name == "phpquery" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Server Software Component +** ID: T1505 +** Reference URL: https://attack.mitre.org/techniques/T1505/ +* Sub-technique: +** Name: Web Shell +** ID: T1505.003 +** Reference URL: https://attack.mitre.org/techniques/T1505/003/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Exploit Public-Facing Application +** ID: T1190 +** Reference URL: https://attack.mitre.org/techniques/T1190/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-remote-credential-access-via-registry.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-remote-credential-access-via-registry.asciidoc new file mode 100644 index 0000000000..e5dc7aa3c8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-remote-credential-access-via-registry.asciidoc @@ -0,0 +1,122 @@ +[[prebuilt-rule-8-11-3-potential-remote-credential-access-via-registry]] +=== Potential Remote Credential Access via Registry + +Identifies remote access to the registry to potentially dump credential data from the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py +* https://www.elastic.co/security-labs/detect-credential-access + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Tactic: Credential Access +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Remote Credential Access via Registry + +Dumping registry hives is a common way to access credential information. Some hives store credential material, such as the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets. + +Attackers can use tools like secretsdump.py or CrackMapExec to dump the registry hives remotely, and use dumped credentials to access other systems in the domain. + +#### Possible investigation steps + +- Identify the specifics of the involved assets, such as their role, criticality, and associated users. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Determine the privileges of the compromised accounts. +- Investigate other alerts associated with the user/source host during the past 48 hours. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. + +### Related rules + +- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine if other hosts were compromised. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Reimage the host operating system or restore the compromised files to clean versions. +- Ensure that the machine has the latest security updates and is not running unsupported Windows versions. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and + event.action == "creation" and process.name : "svchost.exe" and + file.Ext.header_bytes : "72656766*" and user.id : ("S-1-5-21-*", "S-1-12-1-*") and file.size >= 30000 and + file.path : ("?:\\Windows\\system32\\*.tmp", "?:\\WINDOWS\\Temp\\*.tmp") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: Security Account Manager +** ID: T1003.002 +** Reference URL: https://attack.mitre.org/techniques/T1003/002/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-remote-desktop-shadowing-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-remote-desktop-shadowing-activity.asciidoc new file mode 100644 index 0000000000..425767c1a3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-remote-desktop-shadowing-activity.asciidoc @@ -0,0 +1,85 @@ +[[prebuilt-rule-8-11-3-potential-remote-desktop-shadowing-activity]] +=== Potential Remote Desktop Shadowing Activity + +Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control other users active RDP sessions. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing +* https://swarm.ptsecurity.com/remote-desktop-services-shadowing/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +/* Identifies the modification of RDP Shadow registry or + the execution of processes indicative of active shadow RDP session */ + +any where host.os.type == "windows" and +( + (event.category == "registry" and + registry.path : ( + "HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow", + "\\REGISTRY\\MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow" + ) + ) or + (event.category == "process" and event.type == "start" and + (process.name : ("RdpSaUacHelper.exe", "RdpSaProxy.exe") and process.parent.name : "svchost.exe") or + (process.pe.original_file_name : "mstsc.exe" and process.args : "/shadow:*") + ) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: Remote Desktop Protocol +** ID: T1021.001 +** Reference URL: https://attack.mitre.org/techniques/T1021/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-remote-desktop-tunneling-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-remote-desktop-tunneling-detected.asciidoc new file mode 100644 index 0000000000..d58b2ee0bd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-remote-desktop-tunneling-detected.asciidoc @@ -0,0 +1,125 @@ +[[prebuilt-rule-8-11-3-potential-remote-desktop-tunneling-detected]] +=== Potential Remote Desktop Tunneling Detected + +Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Tactic: Lateral Movement +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Remote Desktop Tunneling Detected + +Protocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases, ranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would filter to reach their destination. + +Attackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP connections but may be more permissive to other protocols. + +This rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated with tools that perform tunneling. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account and system owners and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Examine network data to determine if the host communicated with external servers using the tunnel. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. +- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Take the necessary actions to disable the tunneling, which can be a process kill, service deletion, registry key modification, etc. Inspect the host to learn which method was used and to determine a response for the case. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + /* RDP port and usual SSH tunneling related switches in command line */ + process.args : "*:3389" and + process.args : ("-L", "-P", "-R", "-pw", "-ssh") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Protocol Tunneling +** ID: T1572 +** Reference URL: https://attack.mitre.org/techniques/T1572/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SSH +** ID: T1021.004 +** Reference URL: https://attack.mitre.org/techniques/T1021/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-reverse-shell-activity-via-terminal.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-reverse-shell-activity-via-terminal.asciidoc new file mode 100644 index 0000000000..48de2a2a04 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-reverse-shell-activity-via-terminal.asciidoc @@ -0,0 +1,115 @@ +[[prebuilt-rule-8-11-3-potential-reverse-shell-activity-via-terminal]] +=== Potential Reverse Shell Activity via Terminal + +Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md +* https://github.com/WangYihang/Reverse-Shell-Manager +* https://www.netsparker.com/blog/web-security/understanding-reverse-shells/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* OS: macOS +* Use Case: Threat Detection +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Reverse Shell Activity via Terminal + +A reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing. This activity is typically the result of vulnerability exploitation, malware infection, or penetration testing. + +This rule identifies commands that are potentially related to reverse shell activities using shell applications. + +#### Possible investigation steps + +- Examine the command line and extract the target domain or IP address information. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections. +- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Take actions to terminate processes and connections used by the attacker. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + process.name in ("sh", "bash", "zsh", "dash", "zmodload") and + process.args : ("*/dev/tcp/*", "*/dev/udp/*", "*zsh/net/tcp*", "*zsh/net/udp*") and + + /* noisy FPs */ + not (process.parent.name : "timeout" and process.executable : "/var/lib/docker/overlay*") and + not process.command_line : ( + "*/dev/tcp/sirh_db/*", "*/dev/tcp/remoteiot.com/*", "*dev/tcp/elk.stag.one/*", "*dev/tcp/kafka/*", + "*/dev/tcp/$0/$1*", "*/dev/tcp/127.*", "*/dev/udp/127.*", "*/dev/tcp/localhost/*", "*/dev/tcp/itom-vault/*") and + not process.parent.command_line : "runc init" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-reverse-shell-via-background-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-reverse-shell-via-background-process.asciidoc new file mode 100644 index 0000000000..7cd2a5d46a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-reverse-shell-via-background-process.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-8-11-3-potential-reverse-shell-via-background-process]] +=== Potential Reverse Shell via Background Process + +Monitors for the execution of background processes with process arguments capable of opening a socket in the /dev/tcp channel. This may indicate the creation of a backdoor reverse connection, and should be investigated further. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process.name in ("setsid", "nohup") and process.args : "*/dev/tcp/*0>&1*" and +process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-reverse-shell-via-java.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-reverse-shell-via-java.asciidoc new file mode 100644 index 0000000000..68e6aa577f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-reverse-shell-via-java.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-8-11-3-potential-reverse-shell-via-java]] +=== Potential Reverse Shell via Java + +This detection rule identifies the execution of a Linux shell process from a Java JAR application post an incoming network connection. This behavior may indicate reverse shell activity via a Java application. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=5s + [network where host.os.type == "linux" and event.action in ("connection_accepted", "connection_attempted") and + process.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and + destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" + ] by process.entity_id + [process where host.os.type == "linux" and event.action == "exec" and + process.parent.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and + process.parent.args : "-jar" and process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") + ] by process.parent.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-reverse-shell-via-suspicious-binary.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-reverse-shell-via-suspicious-binary.asciidoc new file mode 100644 index 0000000000..9519ecf0e0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-reverse-shell-via-suspicious-binary.asciidoc @@ -0,0 +1,90 @@ +[[prebuilt-rule-8-11-3-potential-reverse-shell-via-suspicious-binary]] +=== Potential Reverse Shell via Suspicious Binary + +This detection rule detects the creation of a shell through a chain consisting of the execution of a suspicious binary (located in a commonly abused location or executed manually) followed by a network event and ending with a shell being spawned. Stageless reverse tcp shells display this behaviour. Attackers may spawn reverse shells to establish persistence onto a target system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan=1s +[ process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and + process.executable : ( + "./*", "/tmp/*", "/var/tmp/*", "/var/www/*", "/dev/shm/*", "/etc/init.d/*", "/etc/rc*.d/*", + "/etc/crontab", "/etc/cron.*", "/etc/update-motd.d/*", "/usr/lib/update-notifier/*", + "/boot/*", "/srv/*", "/run/*", "/root/*", "/etc/rc.local" + ) and + process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and not + process.name : ("curl", "wget", "ping", "apt", "dpkg", "yum", "rpm", "dnf", "dockerd") ] +[ network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and + process.executable : ( + "./*", "/tmp/*", "/var/tmp/*", "/var/www/*", "/dev/shm/*", "/etc/init.d/*", "/etc/rc*.d/*", + "/etc/crontab", "/etc/cron.*", "/etc/update-motd.d/*", "/usr/lib/update-notifier/*", + "/boot/*", "/srv/*", "/run/*", "/root/*", "/etc/rc.local" + ) and destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" ] +[ process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and + process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-reverse-shell-via-suspicious-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-reverse-shell-via-suspicious-child-process.asciidoc new file mode 100644 index 0000000000..941bac4f81 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-reverse-shell-via-suspicious-child-process.asciidoc @@ -0,0 +1,97 @@ +[[prebuilt-rule-8-11-3-potential-reverse-shell-via-suspicious-child-process]] +=== Potential Reverse Shell via Suspicious Child Process + +This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by the specified utilities that are initialized from a single process followed by a network connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan=1s + [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "fork") and ( + (process.name : "python*" and process.args : "-c" and process.args : ( + "*import*pty*spawn*", "*import*subprocess*call*" + )) or + (process.name : "perl*" and process.args : "-e" and process.args : "*socket*" and process.args : ( + "*exec*", "*system*" + )) or + (process.name : "ruby*" and process.args : ("-e", "-rsocket") and process.args : ( + "*TCPSocket.new*", "*TCPSocket.open*" + )) or + (process.name : "lua*" and process.args : "-e" and process.args : "*socket.tcp*" and process.args : ( + "*io.popen*", "*os.execute*" + )) or + (process.name : "php*" and process.args : "-r" and process.args : "*fsockopen*" and process.args : "*/bin/*sh*") or + (process.name : ("awk", "gawk", "mawk", "nawk") and process.args : "*/inet/tcp/*") or + (process.name : "openssl" and process.args : "-connect") or + (process.name : ("nc", "ncat", "netcat") and process.args_count >= 3 and not process.args == "-z") or + (process.name : "telnet" and process.args_count >= 3) + ) and process.parent.name : ( + "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "php*", "perl", "ruby", "lua*", + "openssl", "nc", "netcat", "ncat", "telnet", "awk")] + [network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and + process.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") and + destination.ip != null and not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-reverse-shell-via-udp.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-reverse-shell-via-udp.asciidoc new file mode 100644 index 0000000000..21e072d129 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-reverse-shell-via-udp.asciidoc @@ -0,0 +1,86 @@ +[[prebuilt-rule-8-11-3-potential-reverse-shell-via-udp]] +=== Potential Reverse Shell via UDP + +This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This activity consists of a sample of an execve, socket and connect syscall executed by the same process, where the auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux UDP reverse shell to bypass traditional firewall restrictions and gain remote access to a target system covertly. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-auditd_manager.auditd-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sample by host.id, process.pid, process.parent.pid +[process where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and + auditd.data.syscall == "execve" and process.name : ("bash", "dash", "sh", "tcsh", + "csh", "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*", "ruby", + "openssl", "awk", "telnet", "lua*", "socat")] +[process where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and + auditd.data.syscall == "socket" and process.name : ("bash", "dash", "sh", "tcsh", "csh", + "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*", "ruby", "openssl", + "awk", "telnet", "lua*", "socat") and auditd.data.a0 == "2" and auditd.data.a1 : ("2", "802")] +[network where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and + auditd.data.syscall == "connect" and process.name : ("bash", "dash", "sh", "tcsh", "csh", + "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*", "ruby", "openssl", + "awk", "telnet", "lua*", "socat") and network.direction == "egress" and destination.ip != null and + destination.ip != "127.0.0.1" and destination.ip != "127.0.0.53" and destination.ip != "::1"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-reverse-shell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-reverse-shell.asciidoc new file mode 100644 index 0000000000..761da6cd32 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-reverse-shell.asciidoc @@ -0,0 +1,80 @@ +[[prebuilt-rule-8-11-3-potential-reverse-shell]] +=== Potential Reverse Shell + +This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This activity consists of a parent-child relationship where a network event is followed by the creation of a shell process. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=1s + [network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and + process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") and + destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1"] by process.entity_id + [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "fork") and + process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and + process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") and not + process.args : "*imunify360-agent*"] by process.parent.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-shadow-credentials-added-to-ad-object.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-shadow-credentials-added-to-ad-object.asciidoc new file mode 100644 index 0000000000..f34686ef63 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-shadow-credentials-added-to-ad-object.asciidoc @@ -0,0 +1,109 @@ +[[prebuilt-rule-8-11-3-potential-shadow-credentials-added-to-ad-object]] +=== Potential Shadow Credentials added to AD Object + +Identify the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object. Attackers can abuse control over the object and create a key pair, append to raw public key in the attribute, and obtain persistent and stealthy access to the target user or computer object. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab +* https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials +* https://github.com/OTRF/Set-AuditRule +* https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Active Directory +* Resources: Investigation Guide +* Use Case: Active Directory Monitoring + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Shadow Credentials added to AD Object + +The msDS-KeyCredentialLink is an Active Directory (AD) attribute that links cryptographic certificates to a user or computer for domain authentication. + +Attackers with write privileges on this attribute over an object can abuse it to gain access to the object or maintain persistence. This means they can authenticate and perform actions on behalf of the exploited identity, and they can use Shadow Credentials to request Ticket Granting Tickets (TGTs) on behalf of the identity. + +#### Possible investigation steps + +- Identify whether Windows Hello for Business (WHfB) and/or Azure AD is used in the environment. + - Review the event ID 4624 for logon events involving the subject identity (`winlog.event_data.SubjectUserName`). + - Check whether the `source.ip` is the server running Azure AD Connect. +- Contact the account and system owners and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Review the event IDs 4768 and 4769 for suspicious ticket requests involving the modified identity (`winlog.event_data.ObjectDN`). + - Extract the source IP addresses from these events and use them as indicators of compromise (IoCs) to investigate whether the host is compromised and to scope the attacker's access to the environment. + +### False positive analysis + +- Administrators might use custom accounts on Azure AD Connect. If this is the case, make sure the account is properly secured. You can also create an exception for the account if expected activity makes too much noise in your environment. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. + - Remove the Shadow Credentials from the object. +- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.action:"Directory Service Changes" and event.code:"5136" and + winlog.event_data.AttributeLDAPDisplayName:"msDS-KeyCredentialLink" and winlog.event_data.AttributeValue :B\:828* and + not winlog.event_data.SubjectUserName: MSOL_* + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Modify Authentication Process +** ID: T1556 +** Reference URL: https://attack.mitre.org/techniques/T1556/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-shadow-file-read-via-command-line-utilities.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-shadow-file-read-via-command-line-utilities.asciidoc new file mode 100644 index 0000000000..e8a8331830 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-shadow-file-read-via-command-line-utilities.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-8-11-3-potential-shadow-file-read-via-command-line-utilities]] +=== Potential Shadow File Read via Command Line Utilities + +Identifies access to the /etc/shadow file via the commandline using standard system utilities. After elevating privileges to root, threat actors may attempt to read or dump this file in order to gain valid credentials. They may utilize these to move laterally undetected and access additional resources. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Credential Access +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type : "linux" and event.category : "process" and event.action : ("exec" or "exec_event") and +(process.args : "/etc/shadow" or (process.working_directory: "/etc" and process.args: "shadow")) and not +(process.executable : ("/bin/chown" or "/usr/bin/chown") and process.args : "root:shadow") and not +(process.executable : ("/bin/chmod" or "/usr/bin/chmod") and process.args : "640") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: /etc/passwd and /etc/shadow +** ID: T1003.008 +** Reference URL: https://attack.mitre.org/techniques/T1003/008/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-shell-via-wildcard-injection-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-shell-via-wildcard-injection-detected.asciidoc new file mode 100644 index 0000000000..49c76f838a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-shell-via-wildcard-injection-detected.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-8-11-3-potential-shell-via-wildcard-injection-detected]] +=== Potential Shell via Wildcard Injection Detected + +This rule monitors for the execution of a set of linux binaries, that are potentially vulnerable to wildcard injection, with suspicious command line flags followed by a shell spawn event. Linux wildcard injection is a type of security vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.exploit-db.com/papers/33930 + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=1s + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and ( + (process.name == "tar" and process.args : "--checkpoint=*" and process.args : "--checkpoint-action=*") or + (process.name == "rsync" and process.args : "-e*") or + (process.name == "zip" and process.args == "--unzip-command") )] by process.entity_id + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.parent.name : ("tar", "rsync", "zip") and + process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] by process.parent.entity_id + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-ssh-it-ssh-worm-downloaded.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-ssh-it-ssh-worm-downloaded.asciidoc new file mode 100644 index 0000000000..2099048680 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-ssh-it-ssh-worm-downloaded.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-8-11-3-potential-ssh-it-ssh-worm-downloaded]] +=== Potential SSH-IT SSH Worm Downloaded + +Identifies processes that are capable of downloading files with command line arguments containing URLs to SSH-IT's autonomous SSH worm. This worm intercepts outgoing SSH connections every time a user uses ssh. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.thc.org/ssh-it/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Data Source: Elastic Defend +* Data Source: Elastic Endgame + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process.name in ("curl", "wget") and process.args : ( + "https://thc.org/ssh-it/x", "http://nossl.segfault.net/ssh-it-deploy.sh", "https://gsocket.io/x", + "https://thc.org/ssh-it/bs", "http://nossl.segfault.net/bs" +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SSH +** ID: T1021.004 +** Reference URL: https://attack.mitre.org/techniques/T1021/004/ +* Technique: +** Name: Remote Service Session Hijacking +** ID: T1563 +** Reference URL: https://attack.mitre.org/techniques/T1563/ +* Sub-technique: +** Name: SSH Hijacking +** ID: T1563.001 +** Reference URL: https://attack.mitre.org/techniques/T1563/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-successful-linux-ftp-brute-force-attack-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-successful-linux-ftp-brute-force-attack-detected.asciidoc new file mode 100644 index 0000000000..341b1c35c0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-successful-linux-ftp-brute-force-attack-detected.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-8-11-3-potential-successful-linux-ftp-brute-force-attack-detected]] +=== Potential Successful Linux FTP Brute Force Attack Detected + +An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting a specific user account from the same source address and within a short time interval, followed by a successful authentication. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-auditd_manager.auditd-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, auditd.data.addr, related.user with maxspan=5s + [authentication where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and + event.action == "authenticated" and auditd.data.terminal == "ftp" and event.outcome == "failure" and + auditd.data.addr != null and auditd.data.addr != "0.0.0.0" and auditd.data.addr != "::"] with runs=10 + [authentication where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and + event.action == "authenticated" and auditd.data.terminal == "ftp" and event.outcome == "success" and + auditd.data.addr != null and auditd.data.addr != "0.0.0.0" and auditd.data.addr != "::"] | tail 1 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ +* Sub-technique: +** Name: Password Guessing +** ID: T1110.001 +** Reference URL: https://attack.mitre.org/techniques/T1110/001/ +* Sub-technique: +** Name: Password Spraying +** ID: T1110.003 +** Reference URL: https://attack.mitre.org/techniques/T1110/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-successful-linux-rdp-brute-force-attack-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-successful-linux-rdp-brute-force-attack-detected.asciidoc new file mode 100644 index 0000000000..fa2aa119f5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-successful-linux-rdp-brute-force-attack-detected.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-8-11-3-potential-successful-linux-rdp-brute-force-attack-detected]] +=== Potential Successful Linux RDP Brute Force Attack Detected + +An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeatedly attempting various username and password combinations to gain unauthorized access to a remote computer via RDP, and if successful, the potential impact can include unauthorized control over the compromised system, data theft, or the ability to launch further attacks within the network, jeopardizing the security and confidentiality of the targeted system and potentially compromising the entire network infrastructure. This rule identifies multiple consecutive authentication failures targeting a specific user account within a short time interval, followed by a successful authentication. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-auditd_manager.auditd-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, related.user with maxspan=5s + [authentication where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and + event.action == "authenticated" and auditd.data.terminal : "*rdp*" and event.outcome == "failure"] with runs=10 + [authentication where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and + event.action == "authenticated" and auditd.data.terminal : "*rdp*" and event.outcome == "success"] | tail 1 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ +* Sub-technique: +** Name: Password Guessing +** ID: T1110.001 +** Reference URL: https://attack.mitre.org/techniques/T1110/001/ +* Sub-technique: +** Name: Password Spraying +** ID: T1110.003 +** Reference URL: https://attack.mitre.org/techniques/T1110/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-successful-ssh-brute-force-attack.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-successful-ssh-brute-force-attack.asciidoc new file mode 100644 index 0000000000..ed6010c8b5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-successful-ssh-brute-force-attack.asciidoc @@ -0,0 +1,109 @@ +[[prebuilt-rule-8-11-3-potential-successful-ssh-brute-force-attack]] +=== Potential Successful SSH Brute Force Attack + +Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can attempt to login into multiple users with a common or known password to gain access to accounts. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-system.auth-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Credential Access + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Successful SSH Brute Force Attack + +The rule identifies consecutive SSH login failures followed by a successful login from the same source IP address to the same target host indicating a successful attempt of brute force password guessing. + +#### Possible investigation steps + +- Investigate the login failure user name(s). +- Investigate the source IP address of the failed ssh login attempt(s). +- Investigate other alerts associated with the user/host during the past 48 hours. +- Identify the source and the target computer and their roles in the IT environment. + +### False positive analysis + +- Authentication misconfiguration or obsolete credentials. +- Service account password expired. +- Infrastructure or availability issue. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Ensure active session(s) on the host(s) are terminated as the attacker could have gained initial access to the system(s). +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, source.ip, user.name with maxspan=15s + [authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and + event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] with runs=10 + + [authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and + event.outcome == "success" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ +* Sub-technique: +** Name: Password Guessing +** ID: T1110.001 +** Reference URL: https://attack.mitre.org/techniques/T1110/001/ +* Sub-technique: +** Name: Password Spraying +** ID: T1110.003 +** Reference URL: https://attack.mitre.org/techniques/T1110/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-sudo-hijacking-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-sudo-hijacking-detected.asciidoc new file mode 100644 index 0000000000..b3ea139254 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-sudo-hijacking-detected.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-8-11-3-potential-sudo-hijacking-detected]] +=== Potential Sudo Hijacking Detected + +Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and replace it with a custom binary or script that can read the user's password in clear text to escalate privileges or enable persistence onto the system every time the sudo binary is executed. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Persistence +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 104 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:linux and event.category:file and event.type:("creation" or "file_create_event") and +file.path:("/usr/bin/sudo" or "/bin/sudo") and not process.name:(docker or dockerd) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Sudo and Sudo Caching +** ID: T1548.003 +** Reference URL: https://attack.mitre.org/techniques/T1548/003/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-sudo-privilege-escalation-via-cve-2019-14287.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-sudo-privilege-escalation-via-cve-2019-14287.asciidoc new file mode 100644 index 0000000000..e0e2a5c408 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-sudo-privilege-escalation-via-cve-2019-14287.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-8-11-3-potential-sudo-privilege-escalation-via-cve-2019-14287]] +=== Potential Sudo Privilege Escalation via CVE-2019-14287 + +This rule monitors for the execution of a suspicious sudo command that is leveraged in CVE-2019-14287 to escalate privileges to root. Sudo does not verify the presence of the designated user ID and proceeds to execute using a user ID that can be chosen arbitrarily. By using the sudo privileges, the command "sudo -u#-1" translates to an ID of 0, representing the root user. This exploit may work for sudo versions prior to v1.28. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.exploit-db.com/exploits/47502 + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Defend +* Use Case: Vulnerability + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process.name == "sudo" and process.args == "-u#-1" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-sudo-token-manipulation-via-process-injection.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-sudo-token-manipulation-via-process-injection.asciidoc new file mode 100644 index 0000000000..6cc6ba03bc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-sudo-token-manipulation-via-process-injection.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-8-11-3-potential-sudo-token-manipulation-via-process-injection]] +=== Potential Sudo Token Manipulation via Process Injection + +This rule detects potential sudo token manipulation attacks through process injection by monitoring the use of a debugger (gdb) process followed by a successful uid change event during the execution of the sudo process. A sudo token manipulation attack is performed by injecting into a process that has a valid sudo token, which can then be used by attackers to activate their own sudo token. This attack requires ptrace to be enabled in conjunction with the existence of a living process that has a valid sudo token with the same uid as the current user. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/nongiach/sudo_inject + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.session_leader.entity_id with maxspan=15s +[ process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.name == "gdb" and process.user.id != "0" and process.group.id != "0" ] +[ process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and + process.name == "sudo" and process.user.id == "0" and process.group.id == "0" ] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Sub-technique: +** Name: Ptrace System Calls +** ID: T1055.008 +** Reference URL: https://attack.mitre.org/techniques/T1055/008/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Sudo and Sudo Caching +** ID: T1548.003 +** Reference URL: https://attack.mitre.org/techniques/T1548/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-suspicious-debugfs-root-device-access.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-suspicious-debugfs-root-device-access.asciidoc new file mode 100644 index 0000000000..73059c254b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-suspicious-debugfs-root-device-access.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-11-3-potential-suspicious-debugfs-root-device-access]] +=== Potential Suspicious DebugFS Root Device Access + +This rule monitors for the usage of the built-in Linux DebugFS utility to access a disk device without root permissions. Linux users that are part of the "disk" group have sufficient privileges to access all data inside of the machine through DebugFS. Attackers may leverage DebugFS in conjunction with "disk" permissions to read sensitive files owned by root, such as the shadow file, root ssh private keys or other sensitive files that may allow them to further escalate privileges. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#disk-group + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and +process.name == "debugfs" and process.args : "/dev/sd*" and not process.args == "-R" and +not user.Ext.real.id == "0" and not group.Ext.real.id == "0" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Local Accounts +** ID: T1078.003 +** Reference URL: https://attack.mitre.org/techniques/T1078/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-unauthorized-access-via-wildcard-injection-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-unauthorized-access-via-wildcard-injection-detected.asciidoc new file mode 100644 index 0000000000..4af369ff21 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-unauthorized-access-via-wildcard-injection-detected.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-8-11-3-potential-unauthorized-access-via-wildcard-injection-detected]] +=== Potential Unauthorized Access via Wildcard Injection Detected + +This rule monitors for the execution of the "chown" and "chmod" commands with command line flags that could indicate a wildcard injection attack. Linux wildcard injection is a type of security vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.exploit-db.com/papers/33930 + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Credential Access +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and +process.name in ("chown", "chmod") and process.args == "-R" and process.args : "--reference=*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: /etc/passwd and /etc/shadow +** ID: T1003.008 +** Reference URL: https://attack.mitre.org/techniques/T1003/008/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-upgrade-of-non-interactive-shell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-upgrade-of-non-interactive-shell.asciidoc new file mode 100644 index 0000000000..88ccbef6ea --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-potential-upgrade-of-non-interactive-shell.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-11-3-potential-upgrade-of-non-interactive-shell]] +=== Potential Upgrade of Non-interactive Shell + +Identifies when a non-interactive terminal (tty) is being upgraded to a fully interactive shell. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host, in order to obtain a more stable connection. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and ( + (process.name == "stty" and process.args == "raw" and process.args == "-echo" and process.args_count >= 3) or + (process.name == "script" and process.args in ("-qc", "-c") and process.args == "/dev/null" and + process.args_count == 4) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-kerberos-ticket-dump.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-kerberos-ticket-dump.asciidoc new file mode 100644 index 0000000000..fdb4f679b2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-kerberos-ticket-dump.asciidoc @@ -0,0 +1,89 @@ +[[prebuilt-rule-8-11-3-powershell-kerberos-ticket-dump]] +=== PowerShell Kerberos Ticket Dump + +Detects PowerShell scripts that have the capability of dumping Kerberos tickets from LSA, which potentially indicates an attacker's attempt to acquire credentials for lateral movement. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/MzHmO/PowershellKerberos/blob/main/dumper.ps1 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: PowerShell Logs + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and + powershell.file.script_block_text : ( + "LsaCallAuthenticationPackage" and + ( + "KerbRetrieveEncodedTicketMessage" or + "KerbQueryTicketCacheMessage" or + "KerbQueryTicketCacheExMessage" or + "KerbQueryTicketCacheEx2Message" or + "KerbRetrieveTicketMessage" or + "KerbDecryptDataMessage" + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Technique: +** Name: Steal or Forge Kerberos Tickets +** ID: T1558 +** Reference URL: https://attack.mitre.org/techniques/T1558/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-kerberos-ticket-request.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-kerberos-ticket-request.asciidoc new file mode 100644 index 0000000000..f8e9da41e7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-kerberos-ticket-request.asciidoc @@ -0,0 +1,132 @@ +[[prebuilt-rule-8-11-3-powershell-kerberos-ticket-request]] +=== PowerShell Kerberos Ticket Request + +Detects PowerShell scripts that have the capability of requesting kerberos tickets, which is a common step in Kerberoasting toolkits to crack service accounts. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://cobalt.io/blog/kerberoast-attack-techniques +* https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Resources: Investigation Guide +* Data Source: PowerShell Logs + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating PowerShell Kerberos Ticket Request + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code. + +Accounts associated with a service principal name (SPN) are viable targets for Kerberoasting attacks, which use brute force to crack the user password, which is used to encrypt a Kerberos TGS ticket. + +Attackers can use PowerShell to request these Kerberos tickets, with the intent of extracting them from memory to perform Kerberoasting. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate if the script was executed, and if so, which account was targeted. +- Validate if the account has an SPN associated with it. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Check if the script has any other functionality that can be potentially malicious. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Review event ID [4769](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769) related to this account and service name for additional information. + +### False positive analysis + +- A possible false positive can be identified if the script content is not malicious/harmful or does not request Kerberos tickets for user accounts, as computer accounts are not vulnerable to Kerberoasting due to complex password requirements and policy. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and + powershell.file.script_block_text : ( + KerberosRequestorSecurityToken + ) and not user.id : ("S-1-5-18" or "S-1-5-20") and + not powershell.file.script_block_text : ( + "sentinelbreakpoints" and ("Set-PSBreakpoint" or "Set-HookFunctionTabs") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Technique: +** Name: Steal or Forge Kerberos Tickets +** ID: T1558 +** Reference URL: https://attack.mitre.org/techniques/T1558/ +* Sub-technique: +** Name: Kerberoasting +** ID: T1558.003 +** Reference URL: https://attack.mitre.org/techniques/T1558/003/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-keylogging-script.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-keylogging-script.asciidoc new file mode 100644 index 0000000000..1b811e671c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-keylogging-script.asciidoc @@ -0,0 +1,140 @@ +[[prebuilt-rule-8-11-3-powershell-keylogging-script]] +=== PowerShell Keylogging Script + +Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1 +* https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Collection +* Resources: Investigation Guide +* Data Source: PowerShell Logs + +*Version*: 111 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating PowerShell Keylogging Script + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +Attackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other valuable information as credit card data and confidential conversations. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Examine file or network events from the involved PowerShell process for suspicious behavior. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Determine whether the script stores the captured data locally. +- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server. +- Assess network data to determine if the host communicated with the exfiltration server. + +### False positive analysis + +- Regular users do not have a business justification for using scripting utilities to capture keystrokes, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added. + +### Related rules + +- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and + ( + powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or "Get-Keystrokes") or + powershell.file.script_block_text : ( + (SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and + (GetForegroundWindow or GetWindowTextA or GetWindowTextW or "WM_KEYBOARD_LL" or "WH_MOUSE_LL") + ) + ) and not user.id : "S-1-5-18" + and not powershell.file.script_block_text : ( + "sentinelbreakpoints" and "Set-PSBreakpoint" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Input Capture +** ID: T1056 +** Reference URL: https://attack.mitre.org/techniques/T1056/ +* Sub-technique: +** Name: Keylogging +** ID: T1056.001 +** Reference URL: https://attack.mitre.org/techniques/T1056/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-mailbox-collection-script.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-mailbox-collection-script.asciidoc new file mode 100644 index 0000000000..7ea440fb53 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-mailbox-collection-script.asciidoc @@ -0,0 +1,142 @@ +[[prebuilt-rule-8-11-3-powershell-mailbox-collection-script]] +=== PowerShell Mailbox Collection Script + +Detects PowerShell scripts that can be used to collect data from mailboxes. Adversaries may target user email to collect sensitive information. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/dafthack/MailSniper/blob/master/MailSniper.ps1 +* https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Collection +* Data Source: PowerShell Logs +* Resources: Investigation Guide + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating PowerShell Mailbox Collection Script + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +Email mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors. + +This rule identifies scripts that contains methods and classes that can be abused to collect emails from local and remote mailboxes. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs). +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Determine whether the script stores the captured data locally. +- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server. + - Assess network data to determine if the host communicated with the exfiltration server. + +### False positive analysis + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval. + +### Related rules + +- Exporting Exchange Mailbox via PowerShell - 6aace640-e631-4870-ba8e-5fdda09325db + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior. +- Prioritize cases that involve personally identifiable information (PII) or other classified data. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and + ( + powershell.file.script_block_text : ( + "Microsoft.Office.Interop.Outlook" or + "Interop.Outlook.olDefaultFolders" or + "::olFolderInBox" + ) or + powershell.file.script_block_text : ( + "Microsoft.Exchange.WebServices.Data.Folder" or + "Microsoft.Exchange.WebServices.Data.FileAttachment" + ) + ) and not user.id : "S-1-5-18" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Email Collection +** ID: T1114 +** Reference URL: https://attack.mitre.org/techniques/T1114/ +* Sub-technique: +** Name: Local Email Collection +** ID: T1114.001 +** Reference URL: https://attack.mitre.org/techniques/T1114/001/ +* Sub-technique: +** Name: Remote Email Collection +** ID: T1114.002 +** Reference URL: https://attack.mitre.org/techniques/T1114/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-minidump-script.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-minidump-script.asciidoc new file mode 100644 index 0000000000..3d6da4a788 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-minidump-script.asciidoc @@ -0,0 +1,125 @@ +[[prebuilt-rule-8-11-3-powershell-minidump-script]] +=== PowerShell MiniDump Script + +This rule detects PowerShell scripts capable of dumping process memory using WindowsErrorReporting or Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1 +* https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1 +* https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Resources: Investigation Guide +* Data Source: PowerShell Logs + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating PowerShell MiniDump Script + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +Attackers can abuse Process Memory Dump capabilities to extract credentials from LSASS or to obtain other privileged information stored in the process memory. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Examine file or network events from the involved PowerShell process for suspicious behavior. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Check if the imported function was executed and which process it targeted. + +### False positive analysis + +- Regular users do not have a business justification for using scripting utilities to dump process memory, making false positives unlikely. + +### Related rules + +- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe +- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : "S-1-5-18" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-psreflect-script.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-psreflect-script.asciidoc new file mode 100644 index 0000000000..75c8651620 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-psreflect-script.asciidoc @@ -0,0 +1,159 @@ +[[prebuilt-rule-8-11-3-powershell-psreflect-script]] +=== PowerShell PSReflect Script + +Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables PowerShell to access win32 API functions. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1 +* https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: PowerShell Logs + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating PowerShell PSReflect Script + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +PSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to create enums and structs easily—all without touching the disk. + +Although this is an interesting project for every developer and admin out there, it is mainly used in the red team and malware tooling for its capabilities. + +Detecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through PowerShell, enabling defenders to discover tools being dropped in the environment. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The script content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id` for filtering). +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Check for additional PowerShell and command-line logs that indicate that imported functions were run. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the script using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Related rules + +- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e +- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889 +- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43 +- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d +- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad +- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a +- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and + powershell.file.script_block_text:( + "New-InMemoryModule" or + "Add-Win32Type" or + psenum or + DefineDynamicAssembly or + DefineDynamicModule or + "Reflection.TypeAttributes" or + "Reflection.Emit.OpCodes" or + "Reflection.Emit.CustomAttributeBuilder" or + "Runtime.InteropServices.DllImportAttribute" + ) and + not user.id : "S-1-5-18" and + not file.path : ?\:\\\\ProgramData\\\\MaaS360\\\\Cloud?Extender\\\\AR\\\\Scripts\\\\ASModuleCommon.ps1* + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-script-with-token-impersonation-capabilities.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-script-with-token-impersonation-capabilities.asciidoc new file mode 100644 index 0000000000..76464c3c91 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-script-with-token-impersonation-capabilities.asciidoc @@ -0,0 +1,114 @@ +[[prebuilt-rule-8-11-3-powershell-script-with-token-impersonation-capabilities]] +=== PowerShell Script with Token Impersonation Capabilities + +Detects scripts that contain PowerShell functions, structures, or Windows API functions related to token impersonation/theft. Attackers may duplicate then impersonate another user's token to escalate privileges and bypass access controls. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/decoder-it/psgetsystem +* https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/Get-System.ps1 +* https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-MS16032.ps1 +* https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: PowerShell Logs + +*Version*: 9 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and + powershell.file.script_block_text:( + "Invoke-TokenManipulation" or + "ImpersonateNamedPipeClient" or + "NtImpersonateThread" or + ( + "STARTUPINFOEX" and + "UpdateProcThreadAttribute" + ) or + ( + "AdjustTokenPrivileges" and + "SeDebugPrivilege" + ) or + ( + ("DuplicateToken" or + "DuplicateTokenEx") and + ("SetThreadToken" or + "ImpersonateLoggedOnUser" or + "CreateProcessWithTokenW" or + "CreatePRocessAsUserW" or + "CreateProcessAsUserA") + ) + ) and + not ( + user.id:("S-1-5-18" or "S-1-5-19" or "S-1-5-20") and + file.directory: "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads" + ) and + not powershell.file.script_block_text : ( + "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Access Token Manipulation +** ID: T1134 +** Reference URL: https://attack.mitre.org/techniques/T1134/ +* Sub-technique: +** Name: Token Impersonation/Theft +** ID: T1134.001 +** Reference URL: https://attack.mitre.org/techniques/T1134/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-share-enumeration-script.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-share-enumeration-script.asciidoc new file mode 100644 index 0000000000..00e95984af --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-share-enumeration-script.asciidoc @@ -0,0 +1,143 @@ +[[prebuilt-rule-8-11-3-powershell-share-enumeration-script]] +=== PowerShell Share Enumeration Script + +Detects scripts that contain PowerShell functions, structures, or Windows API functions related to windows share enumeration activities. Attackers, mainly ransomware groups, commonly identify and inspect network shares, looking for critical information for encryption and/or exfiltration. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.advintel.io/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations +* https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/ +* https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Discovery +* Tactic: Collection +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: PowerShell Logs + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating PowerShell Share Enumeration Script + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +Attackers can use PowerShell to enumerate shares to search for sensitive data like documents, scripts, and other kinds of valuable data for encryption, exfiltration, and lateral movement. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Check for additional PowerShell and command line logs that indicate that imported functions were run. + - Evaluate which information was potentially mapped and accessed by the attacker. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and + powershell.file.script_block_text:( + "Invoke-ShareFinder" or + "Invoke-ShareFinderThreaded" or + ( + "shi1_netname" and + "shi1_remark" + ) or + ( + "NetShareEnum" and + "NetApiBufferFree" + ) + ) and not user.id : "S-1-5-18" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Network Share Discovery +** ID: T1135 +** Reference URL: https://attack.mitre.org/techniques/T1135/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Data from Network Shared Drive +** ID: T1039 +** Reference URL: https://attack.mitre.org/techniques/T1039/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-suspicious-discovery-related-windows-api-functions.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-suspicious-discovery-related-windows-api-functions.asciidoc new file mode 100644 index 0000000000..902d1b7ec2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-suspicious-discovery-related-windows-api-functions.asciidoc @@ -0,0 +1,179 @@ +[[prebuilt-rule-8-11-3-powershell-suspicious-discovery-related-windows-api-functions]] +=== PowerShell Suspicious Discovery Related Windows API Functions + +This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413 +* https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Discovery +* Tactic: Collection +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: PowerShell Logs + +*Version*: 111 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating PowerShell Suspicious Discovery Related Windows API Functions + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +Attackers can use PowerShell to interact with the Win32 API to bypass command line based detections, using libraries like PSReflect or Get-ProcAddress Cmdlet. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Examine file or network events from the involved PowerShell process for suspicious behavior. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Check for additional PowerShell and command-line logs that indicate that imported functions were run. + +### False positive analysis + +- Discovery activities themselves are not inherently malicious if occurring in isolation, as long as the script does not contain other capabilities, and there are no other alerts related to the user or host; such alerts can be dismissed. However, analysts should keep in mind that this is not a common way of getting information, making it suspicious. + +### Related rules + +- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and + powershell.file.script_block_text : ( + NetShareEnum or + NetWkstaUserEnum or + NetSessionEnum or + NetLocalGroupEnum or + NetLocalGroupGetMembers or + DsGetSiteName or + DsEnumerateDomainTrusts or + WTSEnumerateSessionsEx or + WTSQuerySessionInformation or + LsaGetLogonSessionData or + QueryServiceObjectSecurity or + GetComputerNameEx or + NetWkstaGetInfo or + GetUserNameEx or + NetUserEnum or + NetUserGetInfo or + NetGroupEnum or + NetGroupGetInfo or + NetGroupGetUsers or + NetWkstaTransportEnum or + NetServerGetInfo or + LsaEnumerateTrustedDomains or + NetScheduleJobEnum or + NetUserModalsGet + ) + and not user.id : ("S-1-5-18" or "S-1-5-19") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Permission Groups Discovery +** ID: T1069 +** Reference URL: https://attack.mitre.org/techniques/T1069/ +* Sub-technique: +** Name: Local Groups +** ID: T1069.001 +** Reference URL: https://attack.mitre.org/techniques/T1069/001/ +* Technique: +** Name: Account Discovery +** ID: T1087 +** Reference URL: https://attack.mitre.org/techniques/T1087/ +* Sub-technique: +** Name: Local Account +** ID: T1087.001 +** Reference URL: https://attack.mitre.org/techniques/T1087/001/ +* Technique: +** Name: Domain Trust Discovery +** ID: T1482 +** Reference URL: https://attack.mitre.org/techniques/T1482/ +* Technique: +** Name: Network Share Discovery +** ID: T1135 +** Reference URL: https://attack.mitre.org/techniques/T1135/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Data from Network Shared Drive +** ID: T1039 +** Reference URL: https://attack.mitre.org/techniques/T1039/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-suspicious-payload-encoded-and-compressed.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-suspicious-payload-encoded-and-compressed.asciidoc new file mode 100644 index 0000000000..b853d972a3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-suspicious-payload-encoded-and-compressed.asciidoc @@ -0,0 +1,155 @@ +[[prebuilt-rule-8-11-3-powershell-suspicious-payload-encoded-and-compressed]] +=== PowerShell Suspicious Payload Encoded and Compressed + +Identifies the use of .NET functionality for decompression and base64 decoding combined in PowerShell scripts, which malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: PowerShell Logs + +*Version*: 110 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating PowerShell Suspicious Payload Encoded and Compressed + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +Attackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the disk. This strategy can circumvent string and file-based security protections. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Examine file or network events from the involved PowerShell process for suspicious behavior. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the script using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed. + +### Related rules + +- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe +- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d +- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and + powershell.file.script_block_text : ( + ( + "System.IO.Compression.DeflateStream" or + "System.IO.Compression.GzipStream" or + "IO.Compression.DeflateStream" or + "IO.Compression.GzipStream" + ) and + FromBase64String + ) and + not file.path: ?\:\\\\ProgramData\\\\Microsoft\\\\Windows?Defender?Advanced?Threat?Protection\\\\Downloads\\\\* and + not user.id : "S-1-5-18" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Obfuscated Files or Information +** ID: T1027 +** Reference URL: https://attack.mitre.org/techniques/T1027/ +* Technique: +** Name: Deobfuscate/Decode Files or Information +** ID: T1140 +** Reference URL: https://attack.mitre.org/techniques/T1140/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-suspicious-script-with-audio-capture-capabilities.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-suspicious-script-with-audio-capture-capabilities.asciidoc new file mode 100644 index 0000000000..7ec3c5c698 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-suspicious-script-with-audio-capture-capabilities.asciidoc @@ -0,0 +1,135 @@ +[[prebuilt-rule-8-11-3-powershell-suspicious-script-with-audio-capture-capabilities]] +=== PowerShell Suspicious Script with Audio Capture Capabilities + +Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Collection +* Resources: Investigation Guide +* Data Source: PowerShell Logs + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating PowerShell Suspicious Script with Audio Capture Capabilities + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +Attackers can use PowerShell to interact with the Windows API with the intent of capturing audio from input devices connected to the victim's computer. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Examine file or network events from the involved PowerShell process for suspicious behavior. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Investigate if the script stores the recorded data locally and determine if anything was recorded. +- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server. +- Assess network data to determine if the host communicated with the exfiltration server. + +### False positive analysis + +- Regular users should not need scripts to capture audio, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added. + +### Related rules + +- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe +- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and + powershell.file.script_block_text : ( + "Get-MicrophoneAudio" or + "WindowsAudioDevice-Powershell-Cmdlet" or + (waveInGetNumDevs and mciSendStringA) + ) + and not powershell.file.script_block_text : ( + "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators" + ) + and not user.id : "S-1-5-18" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Audio Capture +** ID: T1123 +** Reference URL: https://attack.mitre.org/techniques/T1123/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-suspicious-script-with-clipboard-retrieval-capabilities.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-suspicious-script-with-clipboard-retrieval-capabilities.asciidoc new file mode 100644 index 0000000000..9ba749a522 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-suspicious-script-with-clipboard-retrieval-capabilities.asciidoc @@ -0,0 +1,146 @@ +[[prebuilt-rule-8-11-3-powershell-suspicious-script-with-clipboard-retrieval-capabilities]] +=== PowerShell Suspicious Script with Clipboard Retrieval Capabilities + +Detects PowerShell scripts that can get the contents of the clipboard, which attackers can abuse to retrieve sensitive information like credentials, messages, etc. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-clipboard +* https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-ClipboardContents.ps1 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Collection +* Data Source: PowerShell Logs +* Resources: Investigation Guide + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating PowerShell Suspicious Script with Clipboard Retrieval Capabilities + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +Attackers can abuse PowerShell capabilities to get the contents of the clipboard with the goal of stealing credentials and other valuable information, such as credit card data and confidential conversations. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Examine file or network events from the involved PowerShell process for suspicious behavior. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Determine whether the script stores the captured data locally. +- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server. +- Assess network data to determine if the host communicated with the exfiltration server. + +### False positive analysis + +- Regular users are unlikely to use scripting utilities to capture contents of the clipboard, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added. + +### Related rules + +- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and + (powershell.file.script_block_text : ( + "Windows.Clipboard" or + "Windows.Forms.Clipboard" or + "Windows.Forms.TextBox" + ) and + powershell.file.script_block_text : ( + "]::GetText" or + ".Paste()" + )) or powershell.file.script_block_text : "Get-Clipboard" and + not powershell.file.script_block_text : ( + "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators" + ) and + not user.id : "S-1-5-18" and + not file.path : ( + ?\:\\\\program?files\\\\powershell\\\\?\\\\Modules\\\\*.psd1 or + ?\:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\*.psd1 or + ?\:\\\\WINDOWS\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\*.psd1 or + ?\:\\\\Program?Files\\\\WindowsPowerShell\\\\Modules\\\\*.psd1 or + ?\:\\\\Program?Files\\\\WindowsPowerShell\\\\Modules\\\\*.psm1 + ) and + not ( + file.path : ?\:\\\\Program?Files\\\\WindowsPowerShell\\\\*Modules*.ps1 and + file.name : ("Convert-ExcelRangeToImage.ps1" or "Read-Clipboard.ps1") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Clipboard Data +** ID: T1115 +** Reference URL: https://attack.mitre.org/techniques/T1115/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-suspicious-script-with-screenshot-capabilities.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-suspicious-script-with-screenshot-capabilities.asciidoc new file mode 100644 index 0000000000..0a22166aba --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-powershell-suspicious-script-with-screenshot-capabilities.asciidoc @@ -0,0 +1,124 @@ +[[prebuilt-rule-8-11-3-powershell-suspicious-script-with-screenshot-capabilities]] +=== PowerShell Suspicious Script with Screenshot Capabilities + +Detects PowerShell scripts that can take screenshots, which is a common feature in post-exploitation kits and remote access tools (RATs). + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Collection +* Resources: Investigation Guide +* Data Source: PowerShell Logs + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating PowerShell Suspicious Script with Screenshot Capabilities + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, which makes it available for use in various environments and creates an attractive way for attackers to execute code. + +Attackers can abuse PowerShell capabilities and take screen captures of desktops to gather information over the course of an operation. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Examine file or network events from the involved PowerShell process for suspicious behavior. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Determine whether the script stores the captured data locally. +- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server. +- Assess network data to determine if the host communicated with the exfiltration server. + +### False positive analysis + +- Regular users do not have a business justification for using scripting utilities to take screenshots, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added. + +### Related rules + +- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and + powershell.file.script_block_text : ( + CopyFromScreen and + ("System.Drawing.Bitmap" or "Drawing.Bitmap") + ) and not user.id : "S-1-5-18" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Screen Capture +** ID: T1113 +** Reference URL: https://attack.mitre.org/techniques/T1113/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-privilege-escalation-via-named-pipe-impersonation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-privilege-escalation-via-named-pipe-impersonation.asciidoc new file mode 100644 index 0000000000..2b2f8b18e1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-privilege-escalation-via-named-pipe-impersonation.asciidoc @@ -0,0 +1,128 @@ +[[prebuilt-rule-8-11-3-privilege-escalation-via-named-pipe-impersonation]] +=== Privilege Escalation via Named Pipe Impersonation + +Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Metasploit's meterpreter getsystem command. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation +* https://www.cobaltstrike.com/blog/what-happens-when-i-type-getsystem/ +* https://redcanary.com/blog/getsystem-offsec/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Privilege Escalation via Named Pipe Impersonation + +A named pipe is a type of inter-process communication (IPC) mechanism used in operating systems like Windows, which allows two or more processes to communicate with each other by sending and receiving data through a well-known point. + +Attackers can abuse named pipes to elevate their privileges by impersonating the security context in which they execute code. Metasploit, for example, creates a service and a random pipe, and then uses the service to connect to the pipe and impersonate the service security context, which is SYSTEM. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Examine the host for derived artifacts that indicate suspicious activities: + - If any suspicious processes were found, examine the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE") and + process.args : "echo" and process.args : ">" and process.args : "\\\\.\\pipe\\*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Access Token Manipulation +** ID: T1134 +** Reference URL: https://attack.mitre.org/techniques/T1134/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-privilege-escalation-via-rogue-named-pipe-impersonation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-privilege-escalation-via-rogue-named-pipe-impersonation.asciidoc new file mode 100644 index 0000000000..821821fd06 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-privilege-escalation-via-rogue-named-pipe-impersonation.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-8-11-3-privilege-escalation-via-rogue-named-pipe-impersonation]] +=== Privilege Escalation via Rogue Named Pipe Impersonation + +Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by masquerading as a known named pipe and manipulating a privileged process to connect to it. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/ +* https://github.com/zcgonvh/EfsPotato +* https://twitter.com/SBousseaden/status/1429530155291193354 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Sysmon Only + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.action : "Pipe Created*" and + /* normal sysmon named pipe creation events truncate the pipe keyword */ + file.name : "\\*\\Pipe\\*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Access Token Manipulation +** ID: T1134 +** Reference URL: https://attack.mitre.org/techniques/T1134/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-privileged-account-brute-force.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-privileged-account-brute-force.asciidoc new file mode 100644 index 0000000000..c24def5cd5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-privileged-account-brute-force.asciidoc @@ -0,0 +1,133 @@ +[[prebuilt-rule-8-11-3-privileged-account-brute-force]] +=== Privileged Account Brute Force + +Identifies multiple consecutive logon failures targeting an Admin account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Resources: Investigation Guide + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Privileged Account Brute Force + +Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/). + +This rule identifies potential password guessing/brute force activity from a single address against an account that contains the `admin` pattern on its name, which is likely a highly privileged account. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the logon failure reason code and the targeted user name. + - Prioritize the investigation if the account is critical or has administrative privileges over the domain. +- Investigate the source IP address of the failed Network Logon attempts. + - Identify whether these attempts are coming from the internet or are internal. +- Investigate other alerts associated with the involved users and source host during the past 48 hours. +- Identify the source and the target computer and their roles in the IT environment. +- Check whether the involved credentials are used in automation or scheduled tasks. +- If this activity is suspicious, contact the account owner and confirm whether they are aware of it. +- Examine the source host for derived artifacts that indicate compromise: + - Observe and collect information about the following activities in the alert source host: + - Attempts to contact external domains and addresses. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity. + +### False positive analysis + +- Authentication misconfiguration or obsolete credentials. +- Service account password expired. +- Domain trust relationship issues. +- Infrastructure or availability issues. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the source host to prevent further post-compromise behavior. +- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by winlog.computer_name, source.ip with maxspan=10s + [authentication where event.action == "logon-failed" and winlog.logon.type : "Network" and + source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and user.name : "*admin*" and + + /* noisy failure status codes often associated to authentication misconfiguration */ + not winlog.event_data.Status : ("0xC000015B", "0XC000005E", "0XC0000133", "0XC0000192")] with runs=5 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ +* Sub-technique: +** Name: Password Guessing +** ID: T1110.001 +** Reference URL: https://attack.mitre.org/techniques/T1110/001/ +* Sub-technique: +** Name: Password Spraying +** ID: T1110.003 +** Reference URL: https://attack.mitre.org/techniques/T1110/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-process-activity-via-compiled-html-file.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-process-activity-via-compiled-html-file.asciidoc new file mode 100644 index 0000000000..c0445d2297 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-process-activity-via-compiled-html-file.asciidoc @@ -0,0 +1,147 @@ +[[prebuilt-rule-8-11-3-process-activity-via-compiled-html-file]] +=== Process Activity via Compiled HTML File + +Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe). + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Process Activity via Compiled HTML File + +CHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX. + +When users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Investigate the parent process to gain understanding of what triggered this behavior. + - Retrieve `.chm`, `.ps1`, and other files that were involved to further examination. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- If the malicious file was delivered via phishing: + - Block the email sender from sending future emails. + - Block the malicious web pages. + - Remove emails from the sender from mailboxes. + - Consider improvements to the security awareness program. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "hh.exe" and + process.name : ("mshta.exe", "cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "cscript.exe", "wscript.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: User Execution +** ID: T1204 +** Reference URL: https://attack.mitre.org/techniques/T1204/ +* Sub-technique: +** Name: Malicious File +** ID: T1204.002 +** Reference URL: https://attack.mitre.org/techniques/T1204/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Compiled HTML File +** ID: T1218.001 +** Reference URL: https://attack.mitre.org/techniques/T1218/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-process-creation-via-secondary-logon.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-process-creation-via-secondary-logon.asciidoc new file mode 100644 index 0000000000..51c5c0a045 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-process-creation-via-secondary-logon.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-8-11-3-process-creation-via-secondary-logon]] +=== Process Creation via Secondary Logon + +Identifies process creation with alternate credentials. Adversaries may create a new process with a different token to escalate privileges and bypass access controls. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://attack.mitre.org/techniques/T1134/002/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation + +*Version*: 8 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by winlog.computer_name with maxspan=1m + +[authentication where event.action:"logged-in" and + event.outcome == "success" and user.id : ("S-1-5-21-*", "S-1-12-1-*") and + + /* seclogon service */ + process.name == "svchost.exe" and + winlog.event_data.LogonProcessName : "seclogo*" and source.ip == "::1" ] by winlog.event_data.TargetLogonId + +[process where event.type == "start"] by winlog.event_data.TargetLogonId + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Access Token Manipulation +** ID: T1134 +** Reference URL: https://attack.mitre.org/techniques/T1134/ +* Sub-technique: +** Name: Create Process with Token +** ID: T1134.002 +** Reference URL: https://attack.mitre.org/techniques/T1134/002/ +* Sub-technique: +** Name: Make and Impersonate Token +** ID: T1134.003 +** Reference URL: https://attack.mitre.org/techniques/T1134/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-process-execution-from-an-unusual-directory.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-process-execution-from-an-unusual-directory.asciidoc new file mode 100644 index 0000000000..34eccdee6c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-process-execution-from-an-unusual-directory.asciidoc @@ -0,0 +1,93 @@ +[[prebuilt-rule-8-11-3-process-execution-from-an-unusual-directory]] +=== Process Execution from an Unusual Directory + +Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + /* add suspicious execution paths here */ +process.executable : ("C:\\PerfLogs\\*.exe","C:\\Users\\Public\\*.exe","C:\\Windows\\Tasks\\*.exe","C:\\Intel\\*.exe","C:\\AMD\\Temp\\*.exe","C:\\Windows\\AppReadiness\\*.exe", +"C:\\Windows\\ServiceState\\*.exe","C:\\Windows\\security\\*.exe","C:\\Windows\\IdentityCRL\\*.exe","C:\\Windows\\Branding\\*.exe","C:\\Windows\\csc\\*.exe", + "C:\\Windows\\DigitalLocker\\*.exe","C:\\Windows\\en-US\\*.exe","C:\\Windows\\wlansvc\\*.exe","C:\\Windows\\Prefetch\\*.exe","C:\\Windows\\Fonts\\*.exe", + "C:\\Windows\\diagnostics\\*.exe","C:\\Windows\\TAPI\\*.exe","C:\\Windows\\INF\\*.exe","C:\\Windows\\System32\\Speech\\*.exe","C:\\windows\\tracing\\*.exe", + "c:\\windows\\IME\\*.exe","c:\\Windows\\Performance\\*.exe","c:\\windows\\intel\\*.exe","c:\\windows\\ms\\*.exe","C:\\Windows\\dot3svc\\*.exe", + "C:\\Windows\\panther\\*.exe","C:\\Windows\\RemotePackages\\*.exe","C:\\Windows\\OCR\\*.exe","C:\\Windows\\appcompat\\*.exe","C:\\Windows\\apppatch\\*.exe","C:\\Windows\\addins\\*.exe", + "C:\\Windows\\Setup\\*.exe","C:\\Windows\\Help\\*.exe","C:\\Windows\\SKB\\*.exe","C:\\Windows\\Vss\\*.exe","C:\\Windows\\Web\\*.exe","C:\\Windows\\servicing\\*.exe","C:\\Windows\\CbsTemp\\*.exe", + "C:\\Windows\\Logs\\*.exe","C:\\Windows\\WaaS\\*.exe","C:\\Windows\\ShellExperiences\\*.exe","C:\\Windows\\ShellComponents\\*.exe","C:\\Windows\\PLA\\*.exe", + "C:\\Windows\\Migration\\*.exe","C:\\Windows\\debug\\*.exe","C:\\Windows\\Cursors\\*.exe","C:\\Windows\\Containers\\*.exe","C:\\Windows\\Boot\\*.exe","C:\\Windows\\bcastdvr\\*.exe", + "C:\\Windows\\assembly\\*.exe","C:\\Windows\\TextInput\\*.exe","C:\\Windows\\security\\*.exe","C:\\Windows\\schemas\\*.exe","C:\\Windows\\SchCache\\*.exe","C:\\Windows\\Resources\\*.exe", + "C:\\Windows\\rescache\\*.exe","C:\\Windows\\Provisioning\\*.exe","C:\\Windows\\PrintDialog\\*.exe","C:\\Windows\\PolicyDefinitions\\*.exe","C:\\Windows\\media\\*.exe", + "C:\\Windows\\Globalization\\*.exe","C:\\Windows\\L2Schemas\\*.exe","C:\\Windows\\LiveKernelReports\\*.exe","C:\\Windows\\ModemLogs\\*.exe","C:\\Windows\\ImmersiveControlPanel\\*.exe") and + not process.name : ("SpeechUXWiz.exe","SystemSettings.exe","TrustedInstaller.exe","PrintDialog.exe","MpSigStub.exe","LMS.exe","mpam-*.exe") and + not process.executable : + ("?:\\Intel\\Wireless\\WUSetupLauncher.exe", + "?:\\Intel\\Wireless\\Setup.exe", + "?:\\Intel\\Move Mouse.exe", + "?:\\windows\\Panther\\DiagTrackRunner.exe", + "?:\\Windows\\servicing\\GC64\\tzupd.exe", + "?:\\Users\\Public\\res\\RemoteLite.exe", + "?:\\Users\\Public\\IBM\\ClientSolutions\\*.exe", + "?:\\Users\\Public\\Documents\\syspin.exe", + "?:\\Users\\Public\\res\\FileWatcher.exe") + /* uncomment once in winlogbeat */ + /* and not (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true) */ + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Match Legitimate Name or Location +** ID: T1036.005 +** Reference URL: https://attack.mitre.org/techniques/T1036/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-process-started-from-process-id-pid-file.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-process-started-from-process-id-pid-file.asciidoc new file mode 100644 index 0000000000..3b486bda97 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-process-started-from-process-id-pid-file.asciidoc @@ -0,0 +1,84 @@ +[[prebuilt-rule-8-11-3-process-started-from-process-id-pid-file]] +=== Process Started from Process ID (PID) File + +Identifies a new process starting from a process ID (PID), lock or reboot file within the temporary file storage paradigm (tmpfs) directory /var/run directory. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/ +* https://twitter.com/GossiTheDog/status/1522964028284411907 +* https://exatrack.com/public/Tricephalic_Hellkeeper.pdf +* https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Threat: BPFDoor +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Process Started from Process ID (PID) File +Detection alerts from this rule indicate a process spawned from an executable masqueraded as a legitimate PID file which is very unusual and should not occur. Here are some possible avenues of investigation: +- Examine parent and child process relationships of the new process to determine if other processes are running. +- Examine the /var/run directory using Osquery to determine other potential PID files with unsually large file sizes, indicative of it being an executable: "SELECT f.size, f.uid, f.type, f.path from file f WHERE path like '/var/run/%%';" +- Examine the reputation of the SHA256 hash from the PID file in a database like VirusTotal to identify additional pivots and artifacts for investigation. + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and user.id == "0" and + process.executable regex~ """/var/run/\w+\.(pid|lock|reboot)""" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-program-files-directory-masquerading.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-program-files-directory-masquerading.asciidoc new file mode 100644 index 0000000000..7c53703d73 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-program-files-directory-masquerading.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-11-3-program-files-directory-masquerading]] +=== Program Files Directory Masquerading + +Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections allowlisting those folders. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.executable : "C:\\*Program*Files*\\*.exe" and + not process.executable : ("C:\\Program Files\\*.exe", "C:\\Program Files (x86)\\*.exe", "C:\\Users\\*.exe", "C:\\ProgramData\\*.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Match Legitimate Name or Location +** ID: T1036.005 +** Reference URL: https://attack.mitre.org/techniques/T1036/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-prompt-for-credentials-with-osascript.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-prompt-for-credentials-with-osascript.asciidoc new file mode 100644 index 0000000000..1b86d6bb3f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-prompt-for-credentials-with-osascript.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-11-3-prompt-for-credentials-with-osascript]] +=== Prompt for Credentials with OSASCRIPT + +Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/prompt.py +* https://ss64.com/osx/osascript.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and + process.command_line : "osascript*display dialog*password*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Input Capture +** ID: T1056 +** Reference URL: https://attack.mitre.org/techniques/T1056/ +* Sub-technique: +** Name: GUI Input Capture +** ID: T1056.002 +** Reference URL: https://attack.mitre.org/techniques/T1056/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-rdp-enabled-via-registry.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-rdp-enabled-via-registry.asciidoc new file mode 100644 index 0000000000..56ffb32fc4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-rdp-enabled-via-registry.asciidoc @@ -0,0 +1,130 @@ +[[prebuilt-rule-8-11-3-rdp-enabled-via-registry]] +=== RDP Enabled via Registry + +Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating RDP Enabled via Registry + +Microsoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389. + +Attackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts. + +This rule detects modification of the fDenyTSConnections registry key to the value `0`, which specifies that remote desktop connections are enabled. Attackers can abuse remote registry, use psexec, etc., to enable RDP and move laterally. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the user to check if they are aware of the operation. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check whether it makes sense to enable RDP to this host, given its role in the environment. +- Check if the host is directly exposed to the internet. +- Check whether privileged accounts accessed the host shortly after the modification. +- Review network events within a short timespan of this alert for incoming RDP connection attempts. + +### False positive analysis + +- This mechanism can be used legitimately. Check whether the user should be performing this kind of activity, whether they are aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- If RDP is needed, make sure to secure it using firewall rules: + - Allowlist RDP traffic to specific trusted hosts. + - Restrict RDP logins to authorized non-administrator accounts, where possible. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and + event.type in ("creation", "change") and + registry.path : "HKLM\\SYSTEM\\*ControlSet*\\Control\\Terminal Server\\fDenyTSConnections" and + registry.data.strings : ("0", "0x00000000") and + not process.executable : ("?:\\Windows\\System32\\SystemPropertiesRemote.exe", + "?:\\Windows\\System32\\SystemPropertiesComputerName.exe", + "?:\\Windows\\System32\\SystemPropertiesAdvanced.exe", + "?:\\Windows\\System32\\SystemSettingsAdminFlows.exe", + "?:\\Windows\\WinSxS\\*\\TiWorker.exe", + "?:\\Windows\\system32\\svchost.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: Remote Desktop Protocol +** ID: T1021.001 +** Reference URL: https://attack.mitre.org/techniques/T1021/001/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-registry-persistence-via-appcert-dll.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-registry-persistence-via-appcert-dll.asciidoc new file mode 100644 index 0000000000..de676b2e67 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-registry-persistence-via-appcert-dll.asciidoc @@ -0,0 +1,85 @@ +[[prebuilt-rule-8-11-3-registry-persistence-via-appcert-dll]] +=== Registry Persistence via AppCert DLL + +Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Privilege Escalation +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and +/* uncomment once stable length(bytes_written_string) > 0 and */ + registry.path : ( + "HKLM\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: AppCert DLLs +** ID: T1546.009 +** Reference URL: https://attack.mitre.org/techniques/T1546/009/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: AppCert DLLs +** ID: T1546.009 +** Reference URL: https://attack.mitre.org/techniques/T1546/009/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-registry-persistence-via-appinit-dll.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-registry-persistence-via-appinit-dll.asciidoc new file mode 100644 index 0000000000..24e1f15f6c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-registry-persistence-via-appinit-dll.asciidoc @@ -0,0 +1,148 @@ +[[prebuilt-rule-8-11-3-registry-persistence-via-appinit-dll]] +=== Registry Persistence via AppInit DLL + +AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads user32.dll) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications. Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Registry Persistence via AppInit DLL + +AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications. + +Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine. + +This rule identifies modifications on the AppInit registry keys. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Review the source process and related DLL file tied to the Windows Registry entry. + - Check whether the DLL is signed, and tied to a authorized program used on your environment. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Retrieve all DLLs under the AppInit registry keys: + - !{osquery{"label":"Osquery - Retrieve AppInit Registry Value","query":"SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows' or\nr.key == 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows') and r.name ==\n'AppInit_DLLs'\n"}} +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable and the DLLs using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and + registry.path : ( + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls", + "HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls", + "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls", + "\\REGISTRY\\MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls" + ) and not process.executable : ( + "C:\\Windows\\System32\\msiexec.exe", + "C:\\Windows\\SysWOW64\\msiexec.exe", + "C:\\Program Files\\Commvault\\ContentStore*\\Base\\cvd.exe", + "C:\\Program Files (x86)\\Commvault\\ContentStore*\\Base\\cvd.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: AppInit DLLs +** ID: T1546.010 +** Reference URL: https://attack.mitre.org/techniques/T1546/010/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-remote-desktop-enabled-in-windows-firewall-by-netsh.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-remote-desktop-enabled-in-windows-firewall-by-netsh.asciidoc new file mode 100644 index 0000000000..1ca01a71bb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-remote-desktop-enabled-in-windows-firewall-by-netsh.asciidoc @@ -0,0 +1,115 @@ +[[prebuilt-rule-8-11-3-remote-desktop-enabled-in-windows-firewall-by-netsh]] +=== Remote Desktop Enabled in Windows Firewall by Netsh + +Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Remote Desktop Enabled in Windows Firewall by Netsh + +Microsoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389. + +Attackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts. + +This rule detects the creation of a Windows Firewall inbound rule that would allow inbound RDP traffic using the `netsh.exe` utility. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the user to check if they are aware of the operation. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check whether it makes sense to enable RDP to this host, given its role in the environment. +- Check if the host is directly exposed to the internet. +- Check whether privileged accounts accessed the host shortly after the modification. +- Review network events within a short timespan of this alert for incoming RDP connection attempts. + +### False positive analysis + +- The `netsh.exe` utility can be used legitimately. Check whether the user should be performing this kind of activity, whether the user is aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- If RDP is needed, make sure to secure it: + - Allowlist RDP traffic to specific trusted hosts. + - Restrict RDP logins to authorized non-administrator accounts, where possible. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "netsh.exe" or process.pe.original_file_name == "netsh.exe") and + process.args : ("localport=3389", "RemoteDesktop", "group=\"remote desktop\"") and + process.args : ("action=allow", "enable=Yes", "enable") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify System Firewall +** ID: T1562.004 +** Reference URL: https://attack.mitre.org/techniques/T1562/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-remote-file-copy-to-a-hidden-share.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-remote-file-copy-to-a-hidden-share.asciidoc new file mode 100644 index 0000000000..43df3e9b69 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-remote-file-copy-to-a-hidden-share.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-11-3-remote-file-copy-to-a-hidden-share]] +=== Remote File Copy to a Hidden Share + +Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.name : ("cmd.exe", "powershell.exe", "robocopy.exe", "xcopy.exe") and + process.args : ("copy*", "move*", "cp", "mv") and process.args : "*$*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SMB/Windows Admin Shares +** ID: T1021.002 +** Reference URL: https://attack.mitre.org/techniques/T1021/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-remote-file-copy-via-teamviewer.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-remote-file-copy-via-teamviewer.asciidoc new file mode 100644 index 0000000000..838ee42c1f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-remote-file-copy-via-teamviewer.asciidoc @@ -0,0 +1,138 @@ +[[prebuilt-rule-8-11-3-remote-file-copy-via-teamviewer]] +=== Remote File Copy via TeamViewer + +Identifies an executable or script file remotely downloaded via a TeamViewer transfer session. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* http://web.archive.org/web/20230329160957/https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Remote File Copy via TeamViewer + +Attackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files. + +TeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Contact the user to gather information about who and why was conducting the remote access. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the file using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type == "creation" and process.name : "TeamViewer.exe" and + file.extension : ("exe", "dll", "scr", "com", "bat", "ps1", "vbs", "vbe", "js", "wsh", "hta") and + not + ( + file.path : ( + "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\*.js", + "?:\\Users\\*\\AppData\\Local\\Temp\\TeamViewer\\update.exe", + "?:\\Users\\*\\AppData\\Local\\Temp\\?\\TeamViewer\\update.exe" + ) and process.code_signature.trusted == true + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Ingress Tool Transfer +** ID: T1105 +** Reference URL: https://attack.mitre.org/techniques/T1105/ +* Technique: +** Name: Remote Access Software +** ID: T1219 +** Reference URL: https://attack.mitre.org/techniques/T1219/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-remote-file-download-via-desktopimgdownldr-utility.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-remote-file-download-via-desktopimgdownldr-utility.asciidoc new file mode 100644 index 0000000000..2dc3042e82 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-remote-file-download-via-desktopimgdownldr-utility.asciidoc @@ -0,0 +1,131 @@ +[[prebuilt-rule-8-11-3-remote-file-download-via-desktopimgdownldr-utility]] +=== Remote File Download via Desktopimgdownldr Utility + +Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Remote File Download via Desktopimgdownldr Utility + +Attackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files. + +The `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the file using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary. +- Analysts can dismiss the alert if the downloaded file is a legitimate image. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "desktopimgdownldr.exe" or process.pe.original_file_name == "desktopimgdownldr.exe") and + process.args : "/lockscreenurl:http*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Ingress Tool Transfer +** ID: T1105 +** Reference URL: https://attack.mitre.org/techniques/T1105/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-remote-file-download-via-mpcmdrun.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-remote-file-download-via-mpcmdrun.asciidoc new file mode 100644 index 0000000000..2eb2c1f10c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-remote-file-download-via-mpcmdrun.asciidoc @@ -0,0 +1,129 @@ +[[prebuilt-rule-8-11-3-remote-file-download-via-mpcmdrun]] +=== Remote File Download via MpCmdRun + +Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://twitter.com/mohammadaskar2/status/1301263551638761477 +* https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Remote File Download via MpCmdRun + +Attackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files. + +The `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check the reputation of the domain or IP address used to host the downloaded file. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the file using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "MpCmdRun.exe" or process.pe.original_file_name == "MpCmdRun.exe") and + process.args : "-DownloadFile" and process.args : "-url" and process.args : "-path" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Ingress Tool Transfer +** ID: T1105 +** Reference URL: https://attack.mitre.org/techniques/T1105/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-remote-file-download-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-remote-file-download-via-powershell.asciidoc new file mode 100644 index 0000000000..43bb48219c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-remote-file-download-via-powershell.asciidoc @@ -0,0 +1,143 @@ +[[prebuilt-rule-8-11-3-remote-file-download-via-powershell]] +=== Remote File Download via PowerShell + +Identifies powershell.exe being used to download an executable file from an untrusted remote destination. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Remote File Download via PowerShell + +Attackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files. + +PowerShell is one of system administrators' main tools for automation, report routines, and other tasks. This makes it available for use in various environments and creates an attractive way for attackers to execute code and perform actions. This rule correlates network and file events to detect downloads of executable and script files performed using PowerShell. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check the reputation of the domain or IP address used to host the downloaded file. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the file using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- Administrators can use PowerShell legitimately to download executable and script files. Analysts can dismiss the alert if the Administrator is aware of the activity and the triage has not identified suspicious or malicious files. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id with maxspan=30s + +[network where host.os.type == "windows" and + process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and network.protocol == "dns" and + not dns.question.name : ( + "localhost", "*.microsoft.com", "*.azureedge.net", "*.powershellgallery.com", + "*.windowsupdate.com", "metadata.google.internal", "dist.nuget.org", + "artifacts.elastic.co", "*.digicert.com", "packages.chocolatey.org", + "outlook.office365.com" + ) and not user.id : "S-1-5-18"] +[file where host.os.type == "windows" and event.type == "creation" and + process.name : "powershell.exe" and file.extension : ("exe", "dll", "ps1", "bat") and + not file.name : "__PSScriptPolicy*.ps1"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Ingress Tool Transfer +** ID: T1105 +** Reference URL: https://attack.mitre.org/techniques/T1105/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-renamed-autoit-scripts-interpreter.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-renamed-autoit-scripts-interpreter.asciidoc new file mode 100644 index 0000000000..9a90ee5f5c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-renamed-autoit-scripts-interpreter.asciidoc @@ -0,0 +1,127 @@ +[[prebuilt-rule-8-11-3-renamed-autoit-scripts-interpreter]] +=== Renamed AutoIt Scripts Interpreter + +Identifies a suspicious AutoIt process execution. Malware written as an AutoIt script tends to rename the AutoIt executable to avoid detection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Renamed AutoIt Scripts Interpreter + +The OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections. + +AutoIt is a scripting language and tool for automating tasks on Microsoft Windows operating systems. Due to its capabilities, malicious threat actors can abuse it to create malicious scripts and distribute malware. + +This rule checks for renamed instances of AutoIt, which can indicate an attempt of evading detections, application allowlists, and other security protections. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.pe.original_file_name : "AutoIt*.exe" and not process.name : "AutoIt*.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Rename System Utilities +** ID: T1036.003 +** Reference URL: https://attack.mitre.org/techniques/T1036/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-scheduled-task-execution-at-scale-via-gpo.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-scheduled-task-execution-at-scale-via-gpo.asciidoc new file mode 100644 index 0000000000..8eff96aaa7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-scheduled-task-execution-at-scale-via-gpo.asciidoc @@ -0,0 +1,133 @@ +[[prebuilt-rule-8-11-3-scheduled-task-execution-at-scale-via-gpo]] +=== Scheduled Task Execution at Scale via GPO + +Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md +* https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md +* https://labs.f-secure.com/tools/sharpgpoabuse +* https://twitter.com/menasec1/status/1106899890377052160 +* https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_gpo_scheduledtasks.yml + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Lateral Movement +* Data Source: Active Directory +* Resources: Investigation Guide +* Use Case: Active Directory Monitoring + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Scheduled Task Execution at Scale via GPO + +Group Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml` file. + +#### Possible investigation steps + +- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation. +- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO. + +### False positive analysis + +- Verify if the execution is allowed and done under change management, and if the execution is legitimate. + +### Related rules + +- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf +- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- The investigation and containment must be performed in every computer controlled by the GPO, where necessary. +- Remove the script from the GPO. +- Check if other GPOs have suspicious scheduled tasks attached. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +(event.code: "5136" and winlog.event_data.AttributeLDAPDisplayName:("gPCMachineExtensionNames" or "gPCUserExtensionNames") and + winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*)) +or +(event.code: "5145" and winlog.event_data.ShareName: "\\\\*\\SYSVOL" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and + (message: WriteData or winlog.event_data.AccessList: *%%4417*)) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ +* Technique: +** Name: Domain Policy Modification +** ID: T1484 +** Reference URL: https://attack.mitre.org/techniques/T1484/ +* Sub-technique: +** Name: Group Policy Modification +** ID: T1484.001 +** Reference URL: https://attack.mitre.org/techniques/T1484/001/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Lateral Tool Transfer +** ID: T1570 +** Reference URL: https://attack.mitre.org/techniques/T1570/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-scheduled-tasks-at-command-enabled.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-scheduled-tasks-at-command-enabled.asciidoc new file mode 100644 index 0000000000..a0f7215fac --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-scheduled-tasks-at-command-enabled.asciidoc @@ -0,0 +1,86 @@ +[[prebuilt-rule-8-11-3-scheduled-tasks-at-command-enabled]] +=== Scheduled Tasks AT Command Enabled + +Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and + registry.path : ( + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt", + "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt" + ) and registry.data.strings : ("1", "0x00000001") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: At +** ID: T1053.002 +** Reference URL: https://attack.mitre.org/techniques/T1053/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-screensaver-plist-file-modified-by-unexpected-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-screensaver-plist-file-modified-by-unexpected-process.asciidoc new file mode 100644 index 0000000000..7b34b0be2e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-screensaver-plist-file-modified-by-unexpected-process.asciidoc @@ -0,0 +1,106 @@ +[[prebuilt-rule-8-11-3-screensaver-plist-file-modified-by-unexpected-process]] +=== Screensaver Plist File Modified by Unexpected Process + +Identifies when a screensaver plist file is modified by an unexpected process. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://posts.specterops.io/saving-your-access-d562bf5bf90b +* https://github.com/D00MFist/PersistentJXA + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +- Analyze the plist file modification event to identify whether the change was expected or not +- Investigate the process that modified the plist file for malicious code or other suspicious behavior +- Identify if any suspicious or known malicious screensaver (.saver) files were recently written to or modified on the host + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "macos" and event.type != "deletion" and + file.name: "com.apple.screensaver.*.plist" and + file.path : ( + "/Users/*/Library/Preferences/ByHost/*", + "/Library/Managed Preferences/*", + "/System/Library/Preferences/*" + ) and + ( + process.code_signature.trusted == false or + process.code_signature.exists == false or + + /* common script interpreters and abused native macOS bins */ + process.name : ( + "curl", + "mktemp", + "tail", + "funzip", + "python*", + "osascript", + "perl" + ) + ) and + + /* Filter OS processes modifying screensaver plist files */ + not process.executable : ( + "/usr/sbin/cfprefsd", + "/usr/libexec/xpcproxy", + "/System/Library/CoreServices/ManagedClient.app/Contents/Resources/MCXCompositor", + "/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-searching-for-saved-credentials-via-vaultcmd.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-searching-for-saved-credentials-via-vaultcmd.asciidoc new file mode 100644 index 0000000000..1764a29d05 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-searching-for-saved-credentials-via-vaultcmd.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-8-11-3-searching-for-saved-credentials-via-vaultcmd]] +=== Searching for Saved Credentials via VaultCmd + +Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 +* https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/ +* https://www.elastic.co/security-labs/detect-credential-access + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.pe.original_file_name:"vaultcmd.exe" or process.name:"vaultcmd.exe") and + process.args:"/list*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Windows Credential Manager +** ID: T1555.004 +** Reference URL: https://attack.mitre.org/techniques/T1555/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-security-software-discovery-via-grep.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-security-software-discovery-via-grep.asciidoc new file mode 100644 index 0000000000..7ac6acae9e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-security-software-discovery-via-grep.asciidoc @@ -0,0 +1,147 @@ +[[prebuilt-rule-8-11-3-security-software-discovery-via-grep]] +=== Security Software Discovery via Grep + +Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* auditbeat-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Security Software Discovery via Grep + +After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software. + +This rule looks for the execution of the `grep` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections. +- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and +process.name : "grep" and user.id != "0" and + not process.parent.executable : "/Library/Application Support/*" and + process.args : + ("Little Snitch*", + "Avast*", + "Avira*", + "ESET*", + "BlockBlock*", + "360Sec*", + "LuLu*", + "KnockKnock*", + "kav", + "KIS", + "RTProtectionDaemon*", + "Malware*", + "VShieldScanner*", + "WebProtection*", + "webinspectord*", + "McAfee*", + "isecespd*", + "macmnsvc*", + "masvc*", + "kesl*", + "avscan*", + "guard*", + "rtvscand*", + "symcfgd*", + "scmdaemon*", + "symantec*", + "sophos*", + "osquery*", + "elastic-endpoint*" + ) and + not ( + (process.args : "Avast" and process.args : "Passwords") or + (process.parent.args : "/opt/McAfee/agent/scripts/ma" and process.parent.args : "checkhealth") or + (process.command_line : ( + "grep ESET Command-line scanner, version %s -A2", + "grep -i McAfee Web Gateway Core version:", + "grep --color=auto ESET Command-line scanner, version %s -A2" + ) + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Software Discovery +** ID: T1518 +** Reference URL: https://attack.mitre.org/techniques/T1518/ +* Sub-technique: +** Name: Security Software Discovery +** ID: T1518.001 +** Reference URL: https://attack.mitre.org/techniques/T1518/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-sedebugprivilege-enabled-by-a-suspicious-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-sedebugprivilege-enabled-by-a-suspicious-process.asciidoc new file mode 100644 index 0000000000..7c667f4379 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-sedebugprivilege-enabled-by-a-suspicious-process.asciidoc @@ -0,0 +1,84 @@ +[[prebuilt-rule-8-11-3-sedebugprivilege-enabled-by-a-suspicious-process]] +=== SeDebugPrivilege Enabled by a Suspicious Process + +Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703 +* https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Security-Auditing" and + event.action : "Token Right Adjusted Events" and + + winlog.event_data.EnabledPrivilegeList : "SeDebugPrivilege" and + + /* exclude processes with System Integrity */ + not winlog.event_data.SubjectUserSid : ("S-1-5-18", "S-1-5-19", "S-1-5-20") and + + not winlog.event_data.ProcessName : + ("?:\\Windows\\System32\\msiexec.exe", + "?:\\Windows\\SysWOW64\\msiexec.exe", + "?:\\Windows\\System32\\lsass.exe", + "?:\\Windows\\WinSxS\\*", + "?:\\Program Files\\*", + "?:\\Program Files (x86)\\*", + "?:\\Windows\\System32\\MRT.exe", + "?:\\Windows\\System32\\cleanmgr.exe", + "?:\\Windows\\System32\\taskhostw.exe", + "?:\\Windows\\System32\\mmc.exe", + "?:\\Users\\*\\AppData\\Local\\Temp\\*-*\\DismHost.exe", + "?:\\Windows\\System32\\auditpol.exe", + "?:\\Windows\\System32\\wbem\\WmiPrvSe.exe", + "?:\\Windows\\SysWOW64\\wbem\\WmiPrvSe.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Access Token Manipulation +** ID: T1134 +** Reference URL: https://attack.mitre.org/techniques/T1134/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-sensitive-files-compression.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-sensitive-files-compression.asciidoc new file mode 100644 index 0000000000..cec9b26389 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-sensitive-files-compression.asciidoc @@ -0,0 +1,112 @@ +[[prebuilt-rule-8-11-3-sensitive-files-compression]] +=== Sensitive Files Compression + +Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations. + +*Rule type*: new_terms + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.trendmicro.com/en_ca/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Collection +* Tactic: Credential Access +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 207 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:linux and event.type:start and + process.name:(zip or tar or gzip or hdiutil or 7z) and + process.args: + ( + /root/.ssh/id_rsa or + /root/.ssh/id_rsa.pub or + /root/.ssh/id_ed25519 or + /root/.ssh/id_ed25519.pub or + /root/.ssh/authorized_keys or + /root/.ssh/authorized_keys2 or + /root/.ssh/known_hosts or + /root/.bash_history or + /etc/hosts or + /home/*/.ssh/id_rsa or + /home/*/.ssh/id_rsa.pub or + /home/*/.ssh/id_ed25519 or + /home/*/.ssh/id_ed25519.pub or + /home/*/.ssh/authorized_keys or + /home/*/.ssh/authorized_keys2 or + /home/*/.ssh/known_hosts or + /home/*/.bash_history or + /root/.aws/credentials or + /root/.aws/config or + /home/*/.aws/credentials or + /home/*/.aws/config or + /root/.docker/config.json or + /home/*/.docker/config.json or + /etc/group or + /etc/passwd or + /etc/shadow or + /etc/gshadow + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Unsecured Credentials +** ID: T1552 +** Reference URL: https://attack.mitre.org/techniques/T1552/ +* Sub-technique: +** Name: Credentials In Files +** ID: T1552.001 +** Reference URL: https://attack.mitre.org/techniques/T1552/001/ +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Archive Collected Data +** ID: T1560 +** Reference URL: https://attack.mitre.org/techniques/T1560/ +* Sub-technique: +** Name: Archive via Utility +** ID: T1560.001 +** Reference URL: https://attack.mitre.org/techniques/T1560/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-sensitive-privilege-seenabledelegationprivilege-assigned-to-a-user.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-sensitive-privilege-seenabledelegationprivilege-assigned-to-a-user.asciidoc new file mode 100644 index 0000000000..f884b39618 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-sensitive-privilege-seenabledelegationprivilege-assigned-to-a-user.asciidoc @@ -0,0 +1,121 @@ +[[prebuilt-rule-8-11-3-sensitive-privilege-seenabledelegationprivilege-assigned-to-a-user]] +=== Sensitive Privilege SeEnableDelegationPrivilege assigned to a User + +Identifies the assignment of the SeEnableDelegationPrivilege sensitive "user right" to a user. The SeEnableDelegationPrivilege "user right" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/ +* https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_alert_active_directory_user_control.yml +* https://twitter.com/_nwodtuhs/status/1454049485080907776 +* https://www.thehacker.recipes/ad/movement/kerberos/delegations +* https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0105_windows_audit_authorization_policy_change.md + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Persistence +* Data Source: Active Directory +* Resources: Investigation Guide +* Use Case: Active Directory Monitoring + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Sensitive Privilege SeEnableDelegationPrivilege assigned to a User + +Kerberos delegation is an Active Directory feature that allows user and computer accounts to impersonate other accounts, act on their behalf, and use their privileges. Delegation (constrained and unconstrained) can be configured for user and computer objects. + +Enabling unconstrained delegation for a computer causes the computer to store the ticket-granting ticket (TGT) in memory at any time an account connects to the computer, so it can be used by the computer for impersonation when needed. Risk is heightened if an attacker compromises computers with unconstrained delegation enabled, as they could extract TGTs from memory and then replay them to move laterally on the domain. If the attacker coerces a privileged user to connect to the server, or if the user does so routinely, the account will be compromised and the attacker will be able to pass-the-ticket to privileged assets. + +SeEnableDelegationPrivilege is a user right that is controlled within the Local Security Policy of a domain controller and is managed through Group Policy. This setting is named **Enable computer and user accounts to be trusted for delegation**. + +It is critical to control the assignment of this privilege. A user with this privilege and write access to a computer can control delegation settings, perform the attacks described above, and harvest TGTs from any user that connects to the system. + +#### Possible investigation steps + +- Investigate how the privilege was assigned to the user and who assigned it. +- Investigate other potentially malicious activity that was performed by the user that assigned the privileges using the `user.id` and `winlog.activity_id` fields as a filter during the past 48 hours. +- Investigate other alerts associated with the users/host during the past 48 hours. + +### False positive analysis + +- The SeEnableDelegationPrivilege privilege should not be assigned to users. If this rule is triggered in your environment legitimately, the security team should notify the administrators about the risks of using it. + +### Related rules + +- KRBTGT Delegation Backdoor - e052c845-48d0-4f46-8a13-7d0aba05df82 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Remove the privilege from the account. +- Review the privileges of the administrator account that performed the action. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.action:"Authorization Policy Change" and event.code:4704 and + winlog.event_data.PrivilegeList:"SeEnableDelegationPrivilege" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal or Forge Kerberos Tickets +** ID: T1558 +** Reference URL: https://attack.mitre.org/techniques/T1558/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-setcap-setuid-setgid-capability-set.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-setcap-setuid-setgid-capability-set.asciidoc new file mode 100644 index 0000000000..2ba04349ab --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-setcap-setuid-setgid-capability-set.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-11-3-setcap-setuid-setgid-capability-set]] +=== Setcap setuid/setgid Capability Set + +This rule monitors for the addition of the cap_setuid+ep or cap_setgid+ep capabilities via setcap. Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group. Threat actors can exploit these attributes to achieve persistence by creating malicious binaries, allowing them to maintain control over a compromised system with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 2 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process.name == "setcap" and process.args : "cap_set?id+ep" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Setuid and Setgid +** ID: T1548.001 +** Reference URL: https://attack.mitre.org/techniques/T1548/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-shared-object-created-or-changed-by-previously-unknown-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-shared-object-created-or-changed-by-previously-unknown-process.asciidoc new file mode 100644 index 0000000000..4691f19800 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-shared-object-created-or-changed-by-previously-unknown-process.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-8-11-3-shared-object-created-or-changed-by-previously-unknown-process]] +=== Shared Object Created or Changed by Previously Unknown Process + +This rule monitors the creation of shared object files by previously unknown processes. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime. While this process is typically used for legitimate purposes, malicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://threatpost.com/sneaky-malware-backdoors-linux/180158/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and +file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and +process.name: ( * and not ("5" or "dockerd" or "dpkg" or "rpm" or "snapd" or "exe" or "yum" or "vmis-launcher" + or "pacman" or "apt-get" or "dnf")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Dynamic Linker Hijacking +** ID: T1574.006 +** Reference URL: https://attack.mitre.org/techniques/T1574/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-signed-proxy-execution-via-ms-work-folders.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-signed-proxy-execution-via-ms-work-folders.asciidoc new file mode 100644 index 0000000000..f2565bad3c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-signed-proxy-execution-via-ms-work-folders.asciidoc @@ -0,0 +1,108 @@ +[[prebuilt-rule-8-11-3-signed-proxy-execution-via-ms-work-folders]] +=== Signed Proxy Execution via MS Work Folders + +Identifies the use of Windows Work Folders to execute a potentially masqueraded control.exe file in the current working directory. Misuse of Windows Work Folders could indicate malicious activity. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview +* https://twitter.com/ElliotKillick/status/1449812843772227588 +* https://lolbas-project.github.io/lolbas/Binaries/WorkFolders/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame + +*Version*: 106 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Signed Proxy Execution via MS Work Folders + +Work Folders is a role service for file servers running Windows Server that provides a consistent way for users to access their work files from their PCs and devices. This allows users to store work files and access them from anywhere. When called, Work Folders will automatically execute any Portable Executable (PE) named control.exe as an argument before accessing the synced share. + +Using Work Folders to execute a masqueraded control.exe could allow an adversary to bypass application controls and increase privileges. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. + - Examine the location of the WorkFolders.exe binary to determine if it was copied to the location of the control.exe binary. It resides in the System32 directory by default. +- Trace the activity related to the control.exe binary to identify any continuing intrusion activity on the host. +- Review the control.exe binary executed with Work Folders to determine maliciousness such as additional host activity or network traffic. +- Determine if control.exe was synced to sync share, indicating potential lateral movement. +- Review how control.exe was originally delivered on the host, such as emailed, downloaded from the web, or written to +disk from a separate binary. + +### False positive analysis + +- Windows Work Folders are used legitimately by end users and administrators for file sharing and syncing but not in the instance where a suspicious control.exe is passed as an argument. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Review the Work Folders synced share to determine if the control.exe was shared and if so remove it. +- If no lateral movement was identified during investigation, take the affected host offline if possible and remove the control.exe binary as well as any additional artifacts identified during investigation. +- Review integrating Windows Information Protection (WIP) to enforce data protection by encrypting the data on PCs using Work Folders. +- Confirm with the user whether this was expected or not, and reset their password. + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" + and process.name : "control.exe" and process.parent.name : "WorkFolders.exe" + and not process.executable : ("?:\\Windows\\System32\\control.exe", "?:\\Windows\\SysWOW64\\control.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-solarwinds-process-disabling-services-via-registry.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-solarwinds-process-disabling-services-via-registry.asciidoc new file mode 100644 index 0000000000..54ec929517 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-solarwinds-process-disabling-services-via-registry.asciidoc @@ -0,0 +1,98 @@ +[[prebuilt-rule-8-11-3-solarwinds-process-disabling-services-via-registry]] +=== SolarWinds Process Disabling Services via Registry + +Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Initial Access +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and registry.path : ( + "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\Start", + "\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\*\\Start" + ) and + registry.data.strings : ("4", "0x00000004") and + process.name : ( + "SolarWinds.BusinessLayerHost*.exe", + "ConfigurationWizard*.exe", + "NetflowDatabaseMaintenance*.exe", + "NetFlowService*.exe", + "SolarWinds.Administration*.exe", + "SolarWinds.Collector.Service*.exe", + "SolarwindsDiagnostics*.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Supply Chain Compromise +** ID: T1195 +** Reference URL: https://attack.mitre.org/techniques/T1195/ +* Sub-technique: +** Name: Compromise Software Supply Chain +** ID: T1195.002 +** Reference URL: https://attack.mitre.org/techniques/T1195/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-startup-logon-script-added-to-group-policy-object.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-startup-logon-script-added-to-group-policy-object.asciidoc new file mode 100644 index 0000000000..208ee80613 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-startup-logon-script-added-to-group-policy-object.asciidoc @@ -0,0 +1,126 @@ +[[prebuilt-rule-8-11-3-startup-logon-script-added-to-group-policy-object]] +=== Startup/Logon Script added to Group Policy Object + +Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md +* https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md +* https://labs.f-secure.com/tools/sharpgpoabuse + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Active Directory +* Resources: Investigation Guide +* Use Case: Active Directory Monitoring + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Startup/Logon Script added to Group Policy Object + +Group Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the `scripts.ini` or `psscripts.ini` files. The scripts are stored in the following paths: + - `\Machine\Scripts\` + - `\User\Scripts\` + +#### Possible investigation steps + +- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation. +- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO. + +### False positive analysis + +- Verify if the execution is legitimately authorized and executed under a change management process. + +### Related rules + +- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf +- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- The investigation and containment must be performed in every computer controlled by the GPO, where necessary. +- Remove the script from the GPO. +- Check if other GPOs have suspicious scripts attached. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +( + event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and + winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and + (*40B66650-4972-11D1-A7CA-0000F87571E3* or *40B6664F-4972-11D1-A7CA-0000F87571E3*)) +) +or +( + event.code:5145 and winlog.event_data.ShareName:\\\\*\\SYSVOL and + winlog.event_data.RelativeTargetName:(*\\scripts.ini or *\\psscripts.ini) and + (message:WriteData or winlog.event_data.AccessList:*%%4417*) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Domain Policy Modification +** ID: T1484 +** Reference URL: https://attack.mitre.org/techniques/T1484/ +* Sub-technique: +** Name: Group Policy Modification +** ID: T1484.001 +** Reference URL: https://attack.mitre.org/techniques/T1484/001/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-startup-persistence-by-a-suspicious-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-startup-persistence-by-a-suspicious-process.asciidoc new file mode 100644 index 0000000000..872ed91b11 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-startup-persistence-by-a-suspicious-process.asciidoc @@ -0,0 +1,155 @@ +[[prebuilt-rule-8-11-3-startup-persistence-by-a-suspicious-process]] +=== Startup Persistence by a Suspicious Process + +Identifies files written to or modified in the startup folder by commonly abused processes. Adversaries may use this technique to maintain persistence. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Startup Persistence by a Suspicious Process + +The Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence. + +This rule monitors for commonly abused processes writing to the Startup folder locations. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the file using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- Administrators may add programs to this mechanism via command-line shells. Before the further investigation, verify that this activity is not benign. + +### Related rules + +- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff +- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type != "deletion" and + user.domain != "NT AUTHORITY" and + file.path : ("C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", + "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\*") and + process.name : ("cmd.exe", + "powershell.exe", + "wmic.exe", + "mshta.exe", + "pwsh.exe", + "cscript.exe", + "wscript.exe", + "regsvr32.exe", + "RegAsm.exe", + "rundll32.exe", + "EQNEDT32.EXE", + "WINWORD.EXE", + "EXCEL.EXE", + "POWERPNT.EXE", + "MSPUB.EXE", + "MSACCESS.EXE", + "iexplore.exe", + "InstallUtil.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Registry Run Keys / Startup Folder +** ID: T1547.001 +** Reference URL: https://attack.mitre.org/techniques/T1547/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-statistical-model-detected-c2-beaconing-activity-with-high-confidence.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-statistical-model-detected-c2-beaconing-activity-with-high-confidence.asciidoc new file mode 100644 index 0000000000..377b9d49da --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-statistical-model-detected-c2-beaconing-activity-with-high-confidence.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-8-11-3-statistical-model-detected-c2-beaconing-activity-with-high-confidence]] +=== Statistical Model Detected C2 Beaconing Activity with High Confidence + +A statistical model has identified command-and-control (C2) beaconing activity with high confidence. Beaconing can help attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain persistence in a network. + +*Rule type*: query + +*Rule indices*: + +* ml_beaconing.all + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-1h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/beaconing +* https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic + +*Tags*: + +* Domain: Network +* Use Case: C2 Beaconing Detection +* Tactic: Command and Control + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +beacon_stats.beaconing_score: 3 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Web Service +** ID: T1102 +** Reference URL: https://attack.mitre.org/techniques/T1102/ +* Sub-technique: +** Name: Bidirectional Communication +** ID: T1102.002 +** Reference URL: https://attack.mitre.org/techniques/T1102/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-statistical-model-detected-c2-beaconing-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-statistical-model-detected-c2-beaconing-activity.asciidoc new file mode 100644 index 0000000000..fab3d11037 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-statistical-model-detected-c2-beaconing-activity.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-8-11-3-statistical-model-detected-c2-beaconing-activity]] +=== Statistical Model Detected C2 Beaconing Activity + +A statistical model has identified command-and-control (C2) beaconing activity. Beaconing can help attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain persistence in a network. + +*Rule type*: query + +*Rule indices*: + +* ml_beaconing.all + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-1h ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html +* https://docs.elastic.co/en/integrations/beaconing +* https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic + +*Tags*: + +* Domain: Network +* Use Case: C2 Beaconing Detection +* Tactic: Command and Control + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +beacon_stats.is_beaconing: true + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Web Service +** ID: T1102 +** Reference URL: https://attack.mitre.org/techniques/T1102/ +* Sub-technique: +** Name: Bidirectional Communication +** ID: T1102.002 +** Reference URL: https://attack.mitre.org/techniques/T1102/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-sublime-plugin-or-application-script-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-sublime-plugin-or-application-script-modification.asciidoc new file mode 100644 index 0000000000..ad3ff74197 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-sublime-plugin-or-application-script-modification.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-8-11-3-sublime-plugin-or-application-script-modification]] +=== Sublime Plugin or Application Script Modification + +Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time the Sublime application is started. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5 + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "macos" and event.type in ("change", "creation") and file.extension : "py" and + file.path : + ( + "/Users/*/Library/Application Support/Sublime Text*/Packages/*.py", + "/Applications/Sublime Text.app/Contents/MacOS/sublime.py" + ) and + not process.executable : + ( + "/Applications/Sublime Text*.app/Contents/*", + "/usr/local/Cellar/git/*/bin/git", + "/Library/Developer/CommandLineTools/usr/bin/git", + "/usr/libexec/xpcproxy", + "/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Compromise Client Software Binary +** ID: T1554 +** Reference URL: https://attack.mitre.org/techniques/T1554/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-sudo-command-enumeration-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-sudo-command-enumeration-detected.asciidoc new file mode 100644 index 0000000000..68a2bb4c79 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-sudo-command-enumeration-detected.asciidoc @@ -0,0 +1,62 @@ +[[prebuilt-rule-8-11-3-sudo-command-enumeration-detected]] +=== Sudo Command Enumeration Detected + +This rule monitors for the usage of the sudo -l command, which is used to list the allowed and forbidden commands for the invoking user. Attackers may execute this command to enumerate commands allowed to be executed with sudo permissions, potentially allowing to escalate privileges to root. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +process.name == "sudo" and process.args == "-l" and process.args_count == 2 and +process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and +not group.Ext.real.id : "0" and not user.Ext.real.id : "0" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: System Owner/User Discovery +** ID: T1033 +** Reference URL: https://attack.mitre.org/techniques/T1033/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suid-sguid-enumeration-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suid-sguid-enumeration-detected.asciidoc new file mode 100644 index 0000000000..8d0629698e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suid-sguid-enumeration-detected.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-8-11-3-suid-sguid-enumeration-detected]] +=== SUID/SGUID Enumeration Detected + +This rule monitors for the usage of the "find" command in conjunction with SUID and SGUID permission arguments. SUID (Set User ID) and SGID (Set Group ID) are special permissions in Linux that allow a program to execute with the privileges of the file owner or group, respectively, rather than the privileges of the user running the program. In case an attacker is able to enumerate and find a binary that is misconfigured, they might be able to leverage this misconfiguration to escalate privileges by exploiting vulnerabilities or built-in features in the privileged program. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +process.name == "find" and process.args : "-perm" and process.args : ( + "/6000", "-6000", "/4000", "-4000", "/2000", "-2000", "/u=s", "-u=s", "/g=s", "-g=s", "/u=s,g=s", "/g=s,u=s" +) and not ( + user.Ext.real.id == "0" or group.Ext.real.id == "0" or process.args_count >= 12 or + (process.args : "/usr/bin/pkexec" and process.args : "-xdev" and process.args_count == 7) +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: File and Directory Discovery +** ID: T1083 +** Reference URL: https://attack.mitre.org/techniques/T1083/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Setuid and Setgid +** ID: T1548.001 +** Reference URL: https://attack.mitre.org/techniques/T1548/001/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-cmd-execution-via-wmi.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-cmd-execution-via-wmi.asciidoc new file mode 100644 index 0000000000..2c8746458a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-cmd-execution-via-wmi.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-8-11-3-suspicious-cmd-execution-via-wmi]] +=== Suspicious Cmd Execution via WMI + +Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "WmiPrvSE.exe" and process.name : "cmd.exe" and + process.args : "\\\\127.0.0.1\\*" and process.args : ("2>&1", "1>") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Windows Management Instrumentation +** ID: T1047 +** Reference URL: https://attack.mitre.org/techniques/T1047/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-content-extracted-or-decompressed-via-funzip.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-content-extracted-or-decompressed-via-funzip.asciidoc new file mode 100644 index 0000000000..564ce0c94a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-content-extracted-or-decompressed-via-funzip.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-8-11-3-suspicious-content-extracted-or-decompressed-via-funzip]] +=== Suspicious Content Extracted or Decompressed via Funzip + +Identifies when suspicious content is extracted from a file and subsequently decompressed using the funzip utility. Malware may execute the tail utility using the "-c" option to read a sequence of bytes from the end of a file. The output from tail can be piped to funzip in order to decompress malicious code before it is executed. This behavior is consistent with malware families such as Bundlore. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://attack.mitre.org/software/S0482/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and +((process.args == "tail" and process.args == "-c" and process.args == "funzip")) and +not process.args : "/var/log/messages" and +not process.parent.executable : ("/usr/bin/dracut", "/sbin/dracut", "/usr/bin/xargs") and +not (process.parent.name in ("sh", "sudo") and process.parent.command_line : "*nessus_su*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Obfuscated Files or Information +** ID: T1027 +** Reference URL: https://attack.mitre.org/techniques/T1027/ +* Technique: +** Name: Deobfuscate/Decode Files or Information +** ID: T1140 +** Reference URL: https://attack.mitre.org/techniques/T1140/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-data-encryption-via-openssl-utility.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-data-encryption-via-openssl-utility.asciidoc new file mode 100644 index 0000000000..111ed77979 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-data-encryption-via-openssl-utility.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-11-3-suspicious-data-encryption-via-openssl-utility]] +=== Suspicious Data Encryption via OpenSSL Utility + +Identifies when the openssl command-line utility is used to encrypt multiple files on a host within a short time window. Adversaries may encrypt data on a single or multiple systems in order to disrupt the availability of their target's data and may attempt to hold the organization's data to ransom for the purposes of extortion. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/ +* https://www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Impact +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, user.name, process.parent.entity_id with maxspan=5s + [ process where host.os.type == "linux" and event.action == "exec" and + process.name == "openssl" and process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "perl*", "php*", "python*", "xargs") and + process.args == "-in" and process.args == "-out" and + process.args in ("-k", "-K", "-kfile", "-pass", "-iv", "-md") and + /* excluding base64 encoding options and including encryption password or key params */ + not process.args in ("-d", "-a", "-A", "-base64", "-none", "-nosalt") ] with runs=10 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Encrypted for Impact +** ID: T1486 +** Reference URL: https://attack.mitre.org/techniques/T1486/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-dll-loaded-for-persistence-or-privilege-escalation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-dll-loaded-for-persistence-or-privilege-escalation.asciidoc new file mode 100644 index 0000000000..c775b079a9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-dll-loaded-for-persistence-or-privilege-escalation.asciidoc @@ -0,0 +1,170 @@ +[[prebuilt-rule-8-11-3-suspicious-dll-loaded-for-persistence-or-privilege-escalation]] +=== Suspicious DLL Loaded for Persistence or Privilege Escalation + +Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://itm4n.github.io/windows-dll-hijacking-clarified/ +* http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html +* https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html +* https://shellz.club/2020/10/16/edgegdi-dll-for-persistence-and-lateral-movement.html +* https://windows-internals.com/faxing-your-way-to-system/ +* http://waleedassar.blogspot.com/2013/01/wow64logdll.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious DLL Loaded for Persistence or Privilege Escalation + +Attackers can execute malicious code by abusing missing modules that processes try to load, enabling them to escalate privileges or gain persistence. This rule identifies the loading of a non-Microsoft-signed DLL that is missing on a default Windows installation or one that can be loaded from a different location by a native Windows process. + +#### Possible investigation steps + +- Examine the DLL signature and identify the process that created it. + - Investigate any abnormal behaviors by the process such as network connections, registry or file modifications, and any spawned child processes. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Retrieve the DLL and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +any where host.os.type == "windows" and + (event.category : ("driver", "library") or (event.category == "process" and event.action : "Image loaded*")) and + ( + /* compatible with Elastic Endpoint Library Events */ + (dll.name : ("wlbsctrl.dll", "wbemcomn.dll", "WptsExtensions.dll", "Tsmsisrv.dll", "TSVIPSrv.dll", "Msfte.dll", + "wow64log.dll", "WindowsCoreDeviceInfo.dll", "Ualapi.dll", "wlanhlp.dll", "phoneinfo.dll", "EdgeGdi.dll", + "cdpsgshims.dll", "windowsperformancerecordercontrol.dll", "diagtrack_win.dll", "oci.dll", "TPPCOIPW32.dll", + "tpgenlic.dll", "thinmon.dll", "fxsst.dll", "msTracer.dll") + and (dll.code_signature.trusted != true or dll.code_signature.exists != true)) or + + /* compatible with Sysmon EventID 7 - Image Load */ + (file.name : ("wlbsctrl.dll", "wbemcomn.dll", "WptsExtensions.dll", "Tsmsisrv.dll", "TSVIPSrv.dll", "Msfte.dll", + "wow64log.dll", "WindowsCoreDeviceInfo.dll", "Ualapi.dll", "wlanhlp.dll", "phoneinfo.dll", "EdgeGdi.dll", + "cdpsgshims.dll", "windowsperformancerecordercontrol.dll", "diagtrack_win.dll", "oci.dll", "TPPCOIPW32.dll", + "tpgenlic.dll", "thinmon.dll", "fxsst.dll", "msTracer.dll") and + not file.path : ("?:\\Windows\\System32\\wbemcomn.dll", "?:\\Windows\\SysWOW64\\wbemcomn.dll") and + not file.hash.sha256 : + ("6e837794fc282446906c36d681958f2f6212043fc117c716936920be166a700f", + "b14e4954e8cca060ffeb57f2458b6a3a39c7d2f27e94391cbcea5387652f21a4", + "c258d90acd006fa109dc6b748008edbb196d6168bc75ace0de0de54a4db46662") and + not file.code_signature.status == "Valid") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: DLL Side-Loading +** ID: T1574.002 +** Reference URL: https://attack.mitre.org/techniques/T1574/002/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: DLL Search Order Hijacking +** ID: T1574.001 +** Reference URL: https://attack.mitre.org/techniques/T1574/001/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Invalid Code Signature +** ID: T1036.001 +** Reference URL: https://attack.mitre.org/techniques/T1036/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-endpoint-security-parent-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-endpoint-security-parent-process.asciidoc new file mode 100644 index 0000000000..0e06511600 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-endpoint-security-parent-process.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-8-11-3-suspicious-endpoint-security-parent-process]] +=== Suspicious Endpoint Security Parent Process + +A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.name : ("esensor.exe", "elastic-endpoint.exe") and + process.parent.executable != null and + /* add FPs here */ + not process.parent.executable : ("C:\\Program Files\\Elastic\\*", + "C:\\Windows\\System32\\services.exe", + "C:\\Windows\\System32\\WerFault*.exe", + "C:\\Windows\\System32\\wermgr.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Match Legitimate Name or Location +** ID: T1036.005 +** Reference URL: https://attack.mitre.org/techniques/T1036/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-execution-from-a-mounted-device.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-execution-from-a-mounted-device.asciidoc new file mode 100644 index 0000000000..c7b0101569 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-execution-from-a-mounted-device.asciidoc @@ -0,0 +1,97 @@ +[[prebuilt-rule-8-11-3-suspicious-execution-from-a-mounted-device]] +=== Suspicious Execution from a Mounted Device + +Identifies when a script interpreter or signed binary is launched via a non-standard working directory. An attacker may use this technique to evade defenses. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ +* https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and process.executable : "C:\\*" and + (process.working_directory : "?:\\" and not process.working_directory: "C:\\") and + process.parent.name : "explorer.exe" and + process.name : ("rundll32.exe", "mshta.exe", "powershell.exe", "pwsh.exe", "cmd.exe", "regsvr32.exe", + "cscript.exe", "wscript.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: Mshta +** ID: T1218.005 +** Reference URL: https://attack.mitre.org/techniques/T1218/005/ +* Sub-technique: +** Name: Regsvr32 +** ID: T1218.010 +** Reference URL: https://attack.mitre.org/techniques/T1218/010/ +* Sub-technique: +** Name: Rundll32 +** ID: T1218.011 +** Reference URL: https://attack.mitre.org/techniques/T1218/011/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-execution-via-scheduled-task.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-execution-via-scheduled-task.asciidoc new file mode 100644 index 0000000000..ee792abf9a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-execution-via-scheduled-task.asciidoc @@ -0,0 +1,115 @@ +[[prebuilt-rule-8-11-3-suspicious-execution-via-scheduled-task]] +=== Suspicious Execution via Scheduled Task + +Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + /* Schedule service cmdline on Win10+ */ + process.parent.name : "svchost.exe" and process.parent.args : "Schedule" and + /* add suspicious programs here */ + process.pe.original_file_name in + ( + "cscript.exe", + "wscript.exe", + "PowerShell.EXE", + "Cmd.Exe", + "MSHTA.EXE", + "RUNDLL32.EXE", + "REGSVR32.EXE", + "MSBuild.exe", + "InstallUtil.exe", + "RegAsm.exe", + "RegSvcs.exe", + "msxsl.exe", + "CONTROL.EXE", + "EXPLORER.EXE", + "Microsoft.Workflow.Compiler.exe", + "msiexec.exe" + ) and + /* add suspicious paths here */ + process.args : ( + "C:\\Users\\*", + "C:\\ProgramData\\*", + "C:\\Windows\\Temp\\*", + "C:\\Windows\\Tasks\\*", + "C:\\PerfLogs\\*", + "C:\\Intel\\*", + "C:\\Windows\\Debug\\*", + "C:\\HP\\*") and + + not (process.name : "cmd.exe" and process.args : "?:\\*.bat" and process.working_directory : "?:\\Windows\\System32\\") and + not (process.name : "cscript.exe" and process.args : "?:\\Windows\\system32\\calluxxprovider.vbs") and + not (process.name : "powershell.exe" and process.args : ("-File", "-PSConsoleFile") and user.id : "S-1-5-18") and + not (process.name : "msiexec.exe" and user.id : "S-1-5-18") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-explorer-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-explorer-child-process.asciidoc new file mode 100644 index 0000000000..ec8a6ce4cc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-explorer-child-process.asciidoc @@ -0,0 +1,113 @@ +[[prebuilt-rule-8-11-3-suspicious-explorer-child-process]] +=== Suspicious Explorer Child Process + +Identifies a suspicious Windows explorer child process. Explorer.exe can be abused to launch malicious scripts or executables from a trusted parent process. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + ( + process.name : ("cscript.exe", "wscript.exe", "powershell.exe", "rundll32.exe", "cmd.exe", "mshta.exe", "regsvr32.exe") or + process.pe.original_file_name in ("cscript.exe", "wscript.exe", "PowerShell.EXE", "RUNDLL32.EXE", "Cmd.Exe", "MSHTA.EXE", "REGSVR32.EXE") + ) and + /* Explorer started via DCOM */ + process.parent.name : "explorer.exe" and process.parent.args : "-Embedding" and + not process.parent.args: + ( + /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs */ + "/factory,{5BD95610-9434-43C2-886C-57852CC8A120}", + "/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ +* Sub-technique: +** Name: Spearphishing Link +** ID: T1566.002 +** Reference URL: https://attack.mitre.org/techniques/T1566/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ +* Sub-technique: +** Name: Visual Basic +** ID: T1059.005 +** Reference URL: https://attack.mitre.org/techniques/T1059/005/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-file-changes-activity-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-file-changes-activity-detected.asciidoc new file mode 100644 index 0000000000..4ef2333a41 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-file-changes-activity-detected.asciidoc @@ -0,0 +1,64 @@ +[[prebuilt-rule-8-11-3-suspicious-file-changes-activity-detected]] +=== Suspicious File Changes Activity Detected + +This rule identifies a sequence of 100 file extension rename events within a set of common file paths by the same process in a timespan of 1 second. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Impact +* Data Source: Elastic Defend + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id, host.id with maxspan=1s + [file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*" + and process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*", "/srv/*", "/run/*") and + file.path : ( + "/home/*/Downloads/*", "/home/*/Documents/*", "/root/*", "/bin/*", "/usr/bin/*", + "/opt/*", "/etc/*", "/var/log/*", "/var/lib/log/*", "/var/backup/*", "/var/www/*")] with runs=25 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Data Encrypted for Impact +** ID: T1486 +** Reference URL: https://attack.mitre.org/techniques/T1486/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-file-creation-in-etc-for-persistence.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-file-creation-in-etc-for-persistence.asciidoc new file mode 100644 index 0000000000..7edd7cac47 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-file-creation-in-etc-for-persistence.asciidoc @@ -0,0 +1,114 @@ +[[prebuilt-rule-8-11-3-suspicious-file-creation-in-etc-for-persistence]] +=== Suspicious File Creation in /etc for Persistence + +Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence mechanisms for long term access. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/ +* https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Threat: Orbit +* Threat: Lightning Framework +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 110 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.type in ("creation", "file_create_event") and user.name == "root" and +file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*", +"/usr/lib/systemd/system/*") and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/rpm", "*/systemd", +"*/snapd", "*/dnf-automatic","*/yum-cron", "*/elastic-agent", "*/dnfdaemon-system", "*/bin/dockerd", "*/sbin/dockerd", +"/kaniko/executor", "/usr/sbin/rhn_check") and not file.extension in ("swp", "swpx", "tmp") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ +* Sub-technique: +** Name: RC Scripts +** ID: T1037.004 +** Reference URL: https://attack.mitre.org/techniques/T1037/004/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Dynamic Linker Hijacking +** ID: T1574.006 +** Reference URL: https://attack.mitre.org/techniques/T1574/006/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Systemd Service +** ID: T1543.002 +** Reference URL: https://attack.mitre.org/techniques/T1543/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Cron +** ID: T1053.003 +** Reference URL: https://attack.mitre.org/techniques/T1053/003/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Sudo and Sudo Caching +** ID: T1548.003 +** Reference URL: https://attack.mitre.org/techniques/T1548/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-html-file-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-html-file-creation.asciidoc new file mode 100644 index 0000000000..079b6f8710 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-html-file-creation.asciidoc @@ -0,0 +1,99 @@ +[[prebuilt-rule-8-11-3-suspicious-html-file-creation]] +=== Suspicious HTML File Creation + +Identifies the execution of a browser process to open an HTML file with high entropy and size. Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Initial Access +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by user.id with maxspan=5m + [file where host.os.type == "windows" and event.action in ("creation", "rename") and + file.extension : ("htm", "html") and + file.path : ("?:\\Users\\*\\Downloads\\*", + "?:\\Users\\*\\Content.Outlook\\*", + "?:\\Users\\*\\AppData\\Local\\Temp\\Temp?_*", + "?:\\Users\\*\\AppData\\Local\\Temp\\7z*", + "?:\\Users\\*\\AppData\\Local\\Temp\\Rar$*") and + ((file.Ext.entropy >= 5 and file.size >= 150000) or file.size >= 1000000)] + [process where host.os.type == "windows" and event.action == "start" and + ( + (process.name in ("chrome.exe", "msedge.exe", "brave.exe", "whale.exe", "browser.exe", "dragon.exe", "vivaldi.exe", "opera.exe") + and process.args == "--single-argument") or + (process.name == "iexplore.exe" and process.args_count == 2) or + (process.name in ("firefox.exe", "waterfox.exe") and process.args == "-url") + ) + and process.args : ("?:\\Users\\*\\Downloads\\*.htm*", + "?:\\Users\\*\\Content.Outlook\\*.htm*", + "?:\\Users\\*\\AppData\\Local\\Temp\\Temp?_*.htm*", + "?:\\Users\\*\\AppData\\Local\\Temp\\7z*.htm*", + "?:\\Users\\*\\AppData\\Local\\Temp\\Rar$*.htm*")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ +* Sub-technique: +** Name: Spearphishing Link +** ID: T1566.002 +** Reference URL: https://attack.mitre.org/techniques/T1566/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Obfuscated Files or Information +** ID: T1027 +** Reference URL: https://attack.mitre.org/techniques/T1027/ +* Sub-technique: +** Name: HTML Smuggling +** ID: T1027.006 +** Reference URL: https://attack.mitre.org/techniques/T1027/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-image-load-taskschd-dll-from-ms-office.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-image-load-taskschd-dll-from-ms-office.asciidoc new file mode 100644 index 0000000000..addc78321c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-image-load-taskschd-dll-from-ms-office.asciidoc @@ -0,0 +1,86 @@ +[[prebuilt-rule-8-11-3-suspicious-image-load-taskschd-dll-from-ms-office]] +=== Suspicious Image Load (taskschd.dll) from MS Office + +Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 +* https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +any where host.os.type == "windows" and + (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and + process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and + (dll.name : "taskschd.dll" or file.name : "taskschd.dll") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-inter-process-communication-via-outlook.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-inter-process-communication-via-outlook.asciidoc new file mode 100644 index 0000000000..d251667e99 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-inter-process-communication-via-outlook.asciidoc @@ -0,0 +1,91 @@ +[[prebuilt-rule-8-11-3-suspicious-inter-process-communication-via-outlook]] +=== Suspicious Inter-Process Communication via Outlook + +Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may target user email to collect sensitive information or send email on their behalf via API. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Collection +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence with maxspan=1m +[process where host.os.type == "windows" and event.action == "start" and + ( + process.name : ( + "rundll32.exe", "mshta.exe", "powershell.exe", "pwsh.exe", + "cmd.exe", "regsvr32.exe", "cscript.exe", "wscript.exe" + ) or + ( + (process.code_signature.trusted == false or process.code_signature.exists == false) and + (process.Ext.relative_file_creation_time <= 500 or process.Ext.relative_file_name_modify_time <= 500) + ) + ) +] by process.executable +[process where host.os.type == "windows" and event.action == "start" and process.name : "OUTLOOK.EXE" and + process.Ext.effective_parent.name != null] by process.Ext.effective_parent.executable + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Collection +** ID: TA0009 +** Reference URL: https://attack.mitre.org/tactics/TA0009/ +* Technique: +** Name: Email Collection +** ID: T1114 +** Reference URL: https://attack.mitre.org/techniques/T1114/ +* Sub-technique: +** Name: Local Email Collection +** ID: T1114.001 +** Reference URL: https://attack.mitre.org/techniques/T1114/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Inter-Process Communication +** ID: T1559 +** Reference URL: https://attack.mitre.org/techniques/T1559/ +* Sub-technique: +** Name: Component Object Model +** ID: T1559.001 +** Reference URL: https://attack.mitre.org/techniques/T1559/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-java-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-java-child-process.asciidoc new file mode 100644 index 0000000000..f82f24a3ae --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-java-child-process.asciidoc @@ -0,0 +1,112 @@ +[[prebuilt-rule-8-11-3-suspicious-java-child-process]] +=== Suspicious JAVA Child Process + +Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability. + +*Rule type*: new_terms + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.lunasec.io/docs/blog/log4j-zero-day/ +* https://github.com/christophetd/log4shell-vulnerable-app +* https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf +* https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security +* https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046 + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* OS: macOS +* Use Case: Threat Detection +* Tactic: Execution +* Resources: Investigation Guide +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 206 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious Java Child Process + +This rule identifies a suspicious child process of the Java interpreter process. It may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a Java specific vulnerability. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections. +- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes. +- Examine the command line to determine if the command executed is potentially harmful or malicious. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. + +### False positive analysis + +- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of process and command line conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and event.type:("start" or "process_started") and process.parent.name:"java" and process.name:( + "sh" or "bash" or "dash" or "ksh" or "tcsh" or "zsh" or "curl" or "wget" +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: JavaScript +** ID: T1059.007 +** Reference URL: https://attack.mitre.org/techniques/T1059/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-lsass-access-via-malseclogon.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-lsass-access-via-malseclogon.asciidoc new file mode 100644 index 0000000000..be1b5f8012 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-lsass-access-via-malseclogon.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-8-11-3-suspicious-lsass-access-via-malseclogon]] +=== Suspicious LSASS Access via MalSecLogon + +Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access rights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in preparation for credential access. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Sysmon Only + +*Version*: 207 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.code == "10" and + winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe" and + + /* seclogon service accessing lsass */ + winlog.event_data.CallTrace : "*seclogon.dll*" and process.name : "svchost.exe" and + + /* PROCESS_CREATE_PROCESS & PROCESS_DUP_HANDLE & PROCESS_QUERY_INFORMATION */ + winlog.event_data.GrantedAccess == "0x14c0" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-lsass-process-access.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-lsass-process-access.asciidoc new file mode 100644 index 0000000000..8d8f1086b0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-lsass-process-access.asciidoc @@ -0,0 +1,89 @@ +[[prebuilt-rule-8-11-3-suspicious-lsass-process-access]] +=== Suspicious Lsass Process Access + +Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Sysmon Only + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.code == "10" and + winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe" and + not winlog.event_data.GrantedAccess : + ("0x1000", "0x1400", "0x101400", "0x101000", "0x101001", "0x100000", "0x100040", "0x3200", "0x40", "0x3200") and + not process.name : ("procexp64.exe", "procmon.exe", "procexp.exe", "Microsoft.Identity.AadConnect.Health.AadSync.Host.ex") and + not process.executable : ( + "?:\\ProgramData\\Microsoft\\Windows Defender\\platform\\*", + "?:\\ProgramData\\WebEx\\webex\\*", + "?:\\Program Files (x86)\\*", + "?:\\Program Files\\*", + "?:\\Windows\\CCM\\CcmExec.exe", + "?:\\Windows\\LTSvc\\LTSVC.exe", + "?:\\Windows\\Sysmon.exe", + "?:\\Windows\\Sysmon64.exe", + "?:\\Windows\\system32\\csrss.exe", + "?:\\Windows\\System32\\lsm.exe", + "?:\\Windows\\system32\\MRT.exe", + "?:\\Windows\\System32\\msiexec.exe", + "?:\\Windows\\system32\\wbem\\wmiprvse.exe", + "?:\\Windows\\system32\\wininit.exe", + "?:\\Windows\\SystemTemp\\GUM*.tmp\\GoogleUpdate.exe", + "?:\\Windows\\sysWOW64\\wbem\\wmiprvse.exe" + ) and + not winlog.event_data.CallTrace : ("*mpengine.dll*", "*appresolver.dll*", "*sysmain.dll*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-microsoft-diagnostics-wizard-execution.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-microsoft-diagnostics-wizard-execution.asciidoc new file mode 100644 index 0000000000..1213014f04 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-microsoft-diagnostics-wizard-execution.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-8-11-3-suspicious-microsoft-diagnostics-wizard-execution]] +=== Suspicious Microsoft Diagnostics Wizard Execution + +Identifies potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) to proxy malicious command or binary execution via malicious process arguments. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://twitter.com/nao_sec/status/1530196847679401984 +* https://lolbas-project.github.io/lolbas/Binaries/Msdt/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.pe.original_file_name == "msdt.exe" or process.name : "msdt.exe") and + ( + process.args : ("IT_RebrowseForFile=*", "ms-msdt:/id", "ms-msdt:-id", "*FromBase64*") or + + (process.args : "-af" and process.args : "/skip" and + process.parent.name : ("explorer.exe", "cmd.exe", "powershell.exe", "cscript.exe", "wscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe") and + process.args : ("?:\\WINDOWS\\diagnostics\\index\\PCWDiagnostic.xml", "PCWDiagnostic.xml", "?:\\Users\\Public\\*", "?:\\Windows\\Temp\\*")) or + + (process.pe.original_file_name == "msdt.exe" and not process.name : "msdt.exe" and process.name != null) or + + (process.pe.original_file_name == "msdt.exe" and not process.executable : ("?:\\Windows\\system32\\msdt.exe", "?:\\Windows\\SysWOW64\\msdt.exe")) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-mining-process-creation-event.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-mining-process-creation-event.asciidoc new file mode 100644 index 0000000000..a7c95cb751 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-mining-process-creation-event.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-11-3-suspicious-mining-process-creation-event]] +=== Suspicious Mining Process Creation Event + +Identifies service creation events of common mining services, possibly indicating the infection of a system with a cryptominer. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.type == "creation" and +event.action : ("creation", "file_create_event") and +file.name : ("aliyun.service", "moneroocean_miner.service", "c3pool_miner.service", "pnsd.service", "apache4.service", "pastebin.service", "xvf.service") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-module-loaded-by-lsass.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-module-loaded-by-lsass.asciidoc new file mode 100644 index 0000000000..770ff3ad6a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-module-loaded-by-lsass.asciidoc @@ -0,0 +1,130 @@ +[[prebuilt-rule-8-11-3-suspicious-module-loaded-by-lsass]] +=== Suspicious Module Loaded by LSASS + +Identifies LSASS loading an unsigned or untrusted DLL. Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.xpnsec.com/exploring-mimikatz-part-2/ +* https://github.com/jas502n/mimikat_ssp + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +library where host.os.type == "windows" and process.executable : "?:\\Windows\\System32\\lsass.exe" and + not (dll.code_signature.subject_name : + ("Microsoft Windows", + "Microsoft Corporation", + "Microsoft Windows Publisher", + "Microsoft Windows Software Compatibility Publisher", + "Microsoft Windows Hardware Compatibility Publisher", + "McAfee, Inc.", + "SecMaker AB", + "HID Global Corporation", + "HID Global", + "Apple Inc.", + "Citrix Systems, Inc.", + "Dell Inc", + "Hewlett-Packard Company", + "Symantec Corporation", + "National Instruments Corporation", + "DigitalPersona, Inc.", + "Novell, Inc.", + "gemalto", + "EasyAntiCheat Oy", + "Entrust Datacard Corporation", + "AuriStor, Inc.", + "LogMeIn, Inc.", + "VMware, Inc.", + "Istituto Poligrafico e Zecca dello Stato S.p.A.", + "Nubeva Technologies Ltd", + "Micro Focus (US), Inc.", + "Yubico AB", + "GEMALTO SA", + "Secure Endpoints, Inc.", + "Sophos Ltd", + "Morphisec Information Security 2014 Ltd", + "Entrust, Inc.", + "Nubeva Technologies Ltd", + "Micro Focus (US), Inc.", + "F5 Networks Inc", + "Bit4id", + "Thales DIS CPL USA, Inc.", + "Micro Focus International plc", + "HYPR Corp", + "Intel(R) Software Development Products", + "PGP Corporation", + "Parallels International GmbH", + "FrontRange Solutions Deutschland GmbH", + "SecureLink, Inc.", + "Tidexa OU", + "Amazon Web Services, Inc.", + "SentryBay Limited", + "Audinate Pty Ltd", + "CyberArk Software Ltd.", + "McAfeeSysPrep", + "NVIDIA Corporation PE Sign v2016") and + dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*", "errorChaining")) and + + not dll.hash.sha256 : + ("811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c", + "1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1", + "ed6e735aa6233ed262f50f67585949712f1622751035db256811b4088c214ce3", + "26be2e4383728eebe191c0ab19706188f0e9592add2e0bf86b37442083ae5e12", + "9367e78b84ef30cf38ab27776605f2645e52e3f6e93369c674972b668a444faa", + "d46cc934765c5ecd53867070f540e8d6f7701e834831c51c2b0552aba871921b", + "0f77a3826d7a5cd0533990be0269d951a88a5c277bc47cff94553330b715ec61", + "4aca034d3d85a9e9127b5d7a10882c2ef4c3e0daa3329ae2ac1d0797398695fb", + "86031e69914d9d33c34c2f4ac4ae523cef855254d411f88ac26684265c981d95") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: LSASS Memory +** ID: T1003.001 +** Reference URL: https://attack.mitre.org/techniques/T1003/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-ms-office-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-ms-office-child-process.asciidoc new file mode 100644 index 0000000000..26d2c6f167 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-ms-office-child-process.asciidoc @@ -0,0 +1,159 @@ +[[prebuilt-rule-8-11-3-suspicious-ms-office-child-process]] +=== Suspicious MS Office Child Process + +Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/blog/vulnerability-summary-follina + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Defense Evasion +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious MS Office Child Process + +Microsoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of. + +This rule looks for suspicious processes spawned by MS Office programs. This is generally the result of the execution of malicious documents. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client. +- Determine if the collected files are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. + - If the malicious file was delivered via phishing: + - Block the email sender from sending future emails. + - Block the malicious web pages. + - Remove emails from the sender from mailboxes. + - Consider improvements to the security awareness program. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : ("eqnedt32.exe", "excel.exe", "fltldr.exe", "msaccess.exe", "mspub.exe", "powerpnt.exe", "winword.exe", "outlook.exe") and + process.name : ("Microsoft.Workflow.Compiler.exe", "arp.exe", "atbroker.exe", "bginfo.exe", "bitsadmin.exe", "cdb.exe", "certutil.exe", + "cmd.exe", "cmstp.exe", "control.exe", "cscript.exe", "csi.exe", "dnx.exe", "dsget.exe", "dsquery.exe", "forfiles.exe", + "fsi.exe", "ftp.exe", "gpresult.exe", "hostname.exe", "ieexec.exe", "iexpress.exe", "installutil.exe", "ipconfig.exe", + "mshta.exe", "msxsl.exe", "nbtstat.exe", "net.exe", "net1.exe", "netsh.exe", "netstat.exe", "nltest.exe", "odbcconf.exe", + "ping.exe", "powershell.exe", "pwsh.exe", "qprocess.exe", "quser.exe", "qwinsta.exe", "rcsi.exe", "reg.exe", "regasm.exe", + "regsvcs.exe", "regsvr32.exe", "sc.exe", "schtasks.exe", "systeminfo.exe", "tasklist.exe", "tracert.exe", "whoami.exe", + "wmic.exe", "wscript.exe", "xwizard.exe", "explorer.exe", "rundll32.exe", "hh.exe", "msdt.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-ms-outlook-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-ms-outlook-child-process.asciidoc new file mode 100644 index 0000000000..b9ad51ea04 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-ms-outlook-child-process.asciidoc @@ -0,0 +1,158 @@ +[[prebuilt-rule-8-11-3-suspicious-ms-outlook-child-process]] +=== Suspicious MS Outlook Child Process + +Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Defense Evasion +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious MS Outlook Child Process + +Microsoft Outlook is an email client that provides contact, email calendar, and task management features. Outlook is widely used, either standalone or as part of the Office suite. + +This rule looks for suspicious processes spawned by MS Outlook, which can be the result of the execution of malicious documents and/or exploitation for initial access. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Retrieve recently opened files received via email and opened by the user that could cause this behavior. Common locations include but are not limited to, the Downloads and Document folders and the folder configured at the email client. +- Determine if the collected files are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. + - If the malicious file was delivered via phishing: + - Block the email sender from sending future emails. + - Block the malicious web pages. + - Remove emails from the sender from mailboxes. + - Consider improvements to the security awareness program. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "outlook.exe" and + process.name : ("Microsoft.Workflow.Compiler.exe", "arp.exe", "atbroker.exe", "bginfo.exe", "bitsadmin.exe", + "cdb.exe", "certutil.exe", "cmd.exe", "cmstp.exe", "cscript.exe", "csi.exe", "dnx.exe", "dsget.exe", + "dsquery.exe", "forfiles.exe", "fsi.exe", "ftp.exe", "gpresult.exe", "hostname.exe", "ieexec.exe", + "iexpress.exe", "installutil.exe", "ipconfig.exe", "mshta.exe", "msxsl.exe", "nbtstat.exe", "net.exe", + "net1.exe", "netsh.exe", "netstat.exe", "nltest.exe", "odbcconf.exe", "ping.exe", "powershell.exe", + "pwsh.exe", "qprocess.exe", "quser.exe", "qwinsta.exe", "rcsi.exe", "reg.exe", "regasm.exe", + "regsvcs.exe", "regsvr32.exe", "sc.exe", "schtasks.exe", "systeminfo.exe", "tasklist.exe", + "tracert.exe", "whoami.exe", "wmic.exe", "wscript.exe", "xwizard.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-net-code-compilation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-net-code-compilation.asciidoc new file mode 100644 index 0000000000..60bb8ce560 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-net-code-compilation.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-8-11-3-suspicious-net-code-compilation]] +=== Suspicious .NET Code Compilation + +Identifies executions of .NET compilers with suspicious parent processes, which can indicate an attacker's attempt to compile code after delivery in order to bypass security mechanisms. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.name : ("csc.exe", "vbc.exe") and + process.parent.name : ("wscript.exe", "mshta.exe", "cscript.exe", "wmic.exe", "svchost.exe", "rundll32.exe", "cmstp.exe", "regsvr32.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Obfuscated Files or Information +** ID: T1027 +** Reference URL: https://attack.mitre.org/techniques/T1027/ +* Sub-technique: +** Name: Compile After Delivery +** ID: T1027.004 +** Reference URL: https://attack.mitre.org/techniques/T1027/004/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Visual Basic +** ID: T1059.005 +** Reference URL: https://attack.mitre.org/techniques/T1059/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-net-reflection-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-net-reflection-via-powershell.asciidoc new file mode 100644 index 0000000000..93262dcdb8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-net-reflection-via-powershell.asciidoc @@ -0,0 +1,168 @@ +[[prebuilt-rule-8-11-3-suspicious-net-reflection-via-powershell]] +=== Suspicious .NET Reflection via PowerShell + +Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: PowerShell Logs + +*Version*: 110 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious .NET Reflection via PowerShell + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +Attackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Examine file or network events from the involved PowerShell process for suspicious behavior. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the script using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed. + +### Related rules + +- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe +- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d +- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and + powershell.file.script_block_text : ( + "[System.Reflection.Assembly]::Load" or + "[Reflection.Assembly]::Load" + ) and not + powershell.file.script_block_text : ( + ("CommonWorkflowParameters" or "RelatedLinksHelpInfo") and + "HelpDisplayStrings" + ) and not + (powershell.file.script_block_text : + ("Get-SolutionFiles" or "Get-VisualStudio" or "Select-MSBuildPath") and + not file.name : "PathFunctions.ps1" + ) + and not user.id : "S-1-5-18" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Reflective Code Loading +** ID: T1620 +** Reference URL: https://attack.mitre.org/techniques/T1620/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Sub-technique: +** Name: Dynamic-link Library Injection +** ID: T1055.001 +** Reference URL: https://attack.mitre.org/techniques/T1055/001/ +* Sub-technique: +** Name: Portable Executable Injection +** ID: T1055.002 +** Reference URL: https://attack.mitre.org/techniques/T1055/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-network-activity-to-the-internet-by-previously-unknown-executable.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-network-activity-to-the-internet-by-previously-unknown-executable.asciidoc new file mode 100644 index 0000000000..d19be3bc71 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-network-activity-to-the-internet-by-previously-unknown-executable.asciidoc @@ -0,0 +1,80 @@ +[[prebuilt-rule-8-11-3-suspicious-network-activity-to-the-internet-by-previously-unknown-executable]] +=== Suspicious Network Activity to the Internet by Previously Unknown Executable + +This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious directory to a previously unknown destination ip. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise. + +*Rule type*: new_terms + +*Rule indices*: + +* auditbeat-* +* filebeat-* +* packetbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-59m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Command and Control +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:linux and event.category:network and event.action:(connection_attempted or ipv4_connection_attempt_event) and +process.executable:( + (/etc/crontab or /etc/rc.local or ./* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or + /etc/update-motd.d/* or /home/*/.* or /run/* or /srv/* or /tmp/* or /usr/lib/update-notifier/* or /var/tmp/* + ) and not (/tmp/newroot/* or /tmp/snap.rootfs*) + ) and +source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and +not process.name:( + apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or java or kite-update or kited or node or rpm or + saml2aws or wget or yum or ansible* or aws* or php* or pip* or python* or steam* or terraform* +) and +not destination.ip:( + 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or 192.0.0.0/29 or + 192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or + 192.168.0.0/16 or 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or + 198.51.100.0/24 or 203.0.113.0/24 or 224.0.0.0/4 or 240.0.0.0/4 or "::1" or "FE80::/10" or "FF00::/8" +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-pdf-reader-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-pdf-reader-child-process.asciidoc new file mode 100644 index 0000000000..0dbe29329a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-pdf-reader-child-process.asciidoc @@ -0,0 +1,145 @@ +[[prebuilt-rule-8-11-3-suspicious-pdf-reader-child-process]] +=== Suspicious PDF Reader Child Process + +Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Initial Access +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious PDF Reader Child Process + +PDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation. + +This rule looks for commonly abused built-in utilities spawned by a PDF reader process, which is likely a malicious behavior. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Retrieve PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client. +- Determine if the collected files are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. + - If the malicious file was delivered via phishing: + - Block the email sender from sending future emails. + - Block the malicious web pages. + - Remove emails from the sender from mailboxes. + - Consider improvements to the security awareness program. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : ("AcroRd32.exe", + "Acrobat.exe", + "FoxitPhantomPDF.exe", + "FoxitReader.exe") and + process.name : ("arp.exe", "dsquery.exe", "dsget.exe", "gpresult.exe", "hostname.exe", "ipconfig.exe", "nbtstat.exe", + "net.exe", "net1.exe", "netsh.exe", "netstat.exe", "nltest.exe", "ping.exe", "qprocess.exe", + "quser.exe", "qwinsta.exe", "reg.exe", "sc.exe", "systeminfo.exe", "tasklist.exe", "tracert.exe", + "whoami.exe", "bginfo.exe", "cdb.exe", "cmstp.exe", "csi.exe", "dnx.exe", "fsi.exe", "ieexec.exe", + "iexpress.exe", "installutil.exe", "Microsoft.Workflow.Compiler.exe", "msbuild.exe", "mshta.exe", + "msxsl.exe", "odbcconf.exe", "rcsi.exe", "regsvr32.exe", "xwizard.exe", "atbroker.exe", + "forfiles.exe", "schtasks.exe", "regasm.exe", "regsvcs.exe", "cmd.exe", "cscript.exe", + "powershell.exe", "pwsh.exe", "wmic.exe", "wscript.exe", "bitsadmin.exe", "certutil.exe", "ftp.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Exploitation for Client Execution +** ID: T1203 +** Reference URL: https://attack.mitre.org/techniques/T1203/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-portable-executable-encoded-in-powershell-script.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-portable-executable-encoded-in-powershell-script.asciidoc new file mode 100644 index 0000000000..0cacf294e1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-portable-executable-encoded-in-powershell-script.asciidoc @@ -0,0 +1,145 @@ +[[prebuilt-rule-8-11-3-suspicious-portable-executable-encoded-in-powershell-script]] +=== Suspicious Portable Executable Encoded in Powershell Script + +Detects the presence of a portable executable (PE) in a PowerShell script by looking for its encoded header. Attackers embed PEs into PowerShell scripts to inject them into memory, avoiding defences by not writing to disk. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: PowerShell Logs + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious Portable Executable Encoded in Powershell Script + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code. + +Attackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk, bypassing file-based security protections. These executables are generally base64 encoded. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Evaluate whether the user needs to use PowerShell to complete tasks. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the script using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Related rules + +- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad +- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a +- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Reimage the host operating system or restore the compromised files to clean versions. +- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:windows and + powershell.file.script_block_text : ( + TVqQAAMAAAAEAAAA + ) and not user.id : "S-1-5-18" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-print-spooler-file-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-print-spooler-file-deletion.asciidoc new file mode 100644 index 0000000000..7048cf3a23 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-print-spooler-file-deletion.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-11-3-suspicious-print-spooler-file-deletion]] +=== Suspicious Print Spooler File Deletion + +Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful privilege escalation via Print Spooler service related vulnerabilities. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Endgame +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type : "deletion" and + not process.name : ("spoolsv.exe", "dllhost.exe", "explorer.exe") and + file.path : "?:\\Windows\\System32\\spool\\drivers\\x64\\3\\*.dll" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-print-spooler-spl-file-created.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-print-spooler-spl-file-created.asciidoc new file mode 100644 index 0000000000..5abf4d0a94 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-print-spooler-spl-file-created.asciidoc @@ -0,0 +1,149 @@ +[[prebuilt-rule-8-11-3-suspicious-print-spooler-spl-file-created]] +=== Suspicious Print Spooler SPL File Created + +Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious Print Spooler SPL File Created + +Print Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs by loading printer drivers, receiving files to be printed, queuing them, scheduling, etc. + +The Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like CVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location `?:\Windows\System32\spool\PRINTERS\`, which is an essential step in exploiting these vulnerabilities. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + +### False positive analysis + +- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of process executable and file conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Ensure that the machine has the latest security updates and is not running legacy Windows versions. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type != "deletion" and + file.extension : "spl" and + file.path : "?:\\Windows\\System32\\spool\\PRINTERS\\*" and + not process.name : ("spoolsv.exe", + "printfilterpipelinesvc.exe", + "PrintIsolationHost.exe", + "splwow64.exe", + "msiexec.exe", + "poqexec.exe") and + not user.id : "S-1-5-18" and + not process.executable : + ("?:\\Windows\\System32\\mmc.exe", + "\\Device\\Mup\\*.exe", + "?:\\Windows\\System32\\svchost.exe", + "?:\\Windows\\System32\\mmc.exe", + "?:\\Windows\\System32\\printui.exe", + "?:\\Windows\\System32\\mstsc.exe", + "?:\\Windows\\System32\\spool\\*.exe", + "?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\PROGRA~1\\*.exe", + "?:\\PROGRA~2\\*.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-printspooler-service-executable-file-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-printspooler-service-executable-file-creation.asciidoc new file mode 100644 index 0000000000..77aa8b5ae8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-printspooler-service-executable-file-creation.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-8-11-3-suspicious-printspooler-service-executable-file-creation]] +=== Suspicious PrintSpooler Service Executable File Creation + +Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/ +* https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Endgame +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type == "creation" and + process.name : "spoolsv.exe" and file.extension : "dll" and + file.path : ("?:\\Windows\\System32\\*", "?:\\Windows\\SysWOW64\\*") and + not file.path : + ("?:\\WINDOWS\\SysWOW64\\PrintConfig.dll", + "?:\\WINDOWS\\system32\\x5lrs.dll", + "?:\\WINDOWS\\sysWOW64\\x5lrs.dll", + "?:\\WINDOWS\\system32\\PrintConfig.dll") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-process-access-via-direct-system-call.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-process-access-via-direct-system-call.asciidoc new file mode 100644 index 0000000000..cb61b4b5e7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-process-access-via-direct-system-call.asciidoc @@ -0,0 +1,154 @@ +[[prebuilt-rule-8-11-3-suspicious-process-access-via-direct-system-call]] +=== Suspicious Process Access via Direct System Call + +Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://twitter.com/SBousseaden/status/1278013896440324096 +* https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Sysmon Only + +*Version*: 210 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious Process Access via Direct System Call + +Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly. + +More context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/). + +This rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + +### False positive analysis + +- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove the malicious certificate from the root certificate store. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.code == "10" and + length(winlog.event_data.CallTrace) > 0 and + + /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */ + not winlog.event_data.CallTrace : + ("?:\\WINDOWS\\SYSTEM32\\ntdll.dll*", + "?:\\WINDOWS\\SysWOW64\\ntdll.dll*", + "?:\\Windows\\System32\\wow64cpu.dll*", + "?:\\WINDOWS\\System32\\wow64win.dll*", + "?:\\Windows\\System32\\win32u.dll*") and + + not winlog.event_data.TargetImage : + ("?:\\Program Files (x86)\\Malwarebytes Anti-Exploit\\mbae-svc.exe", + "?:\\Program Files\\Cisco\\AMP\\*\\sfc.exe", + "?:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\*\\msedgewebview2.exe", + "?:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\*\\AcroCEF.exe") and + + not (process.executable : ("?:\\Program Files\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe", + "?:\\Program Files (x86)\\World of Warcraft\\_classic_\\WowClassic.exe") and + not winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-process-execution-via-renamed-psexec-executable.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-process-execution-via-renamed-psexec-executable.asciidoc new file mode 100644 index 0000000000..c250b415dc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-process-execution-via-renamed-psexec-executable.asciidoc @@ -0,0 +1,121 @@ +[[prebuilt-rule-8-11-3-suspicious-process-execution-via-renamed-psexec-executable]] +=== Suspicious Process Execution via Renamed PsExec Executable + +Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious Process Execution via Renamed PsExec Executable + +PsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. It operates by executing a service component `Psexecsvc` on a remote system, which then runs a specified process and returns the results to the local system. Microsoft develops PsExec as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections. + +This rule identifies instances where the PsExec service component is executed using a custom name. This behavior can indicate an attempt to bypass security controls or detections that look for the default PsExec service component name. + +#### Possible investigation steps + +- Check if the usage of this tool complies with the organization's administration policy. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Identify the target computer and its role in the IT environment. +- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. + +### False positive analysis + +- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. + - Prioritize cases involving critical servers and users. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Review the privileges assigned to the user to ensure that the least privilege principle is being followed. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.pe.original_file_name : "psexesvc.exe" and not process.name : "PSEXESVC.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: System Services +** ID: T1569 +** Reference URL: https://attack.mitre.org/techniques/T1569/ +* Sub-technique: +** Name: Service Execution +** ID: T1569.002 +** Reference URL: https://attack.mitre.org/techniques/T1569/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Rename System Utilities +** ID: T1036.003 +** Reference URL: https://attack.mitre.org/techniques/T1036/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-process-spawned-from-motd-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-process-spawned-from-motd-detected.asciidoc new file mode 100644 index 0000000000..681adf42f9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-process-spawned-from-motd-detected.asciidoc @@ -0,0 +1,152 @@ +[[prebuilt-rule-8-11-3-suspicious-process-spawned-from-motd-detected]] +=== Suspicious Process Spawned from MOTD Detected + +Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" and "/usr/lib/update-notifier/" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially malicious processes through the MOTD utility. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Endgame +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 7 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious Process Spawned from MOTD Detected + +The message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux. + +Attackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Files in these directories will automatically run with root privileges when they are made executable. + +This rule identifies the execution of potentially malicious processes from a MOTD script, which is not likely to occur as default benign behavior. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible Investigation Steps + +- Investigate the file that was created or modified from which the suspicious process was executed. + - !{osquery{"label":"Osquery - Retrieve File Information","query":"SELECT * FROM file WHERE path = {{file.path}}"}} +- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered. + - !{osquery{"label":"Osquery - Retrieve File Listing Information","query":"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')"}} + - !{osquery{"label":"Osquery - Retrieve Additional File Listing Information","query":"SELECT\n f.path,\n u.username AS file_owner,\n g.groupname AS group_owner,\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\n datetime(f.btime, 'unixepoch') AS file_created_time,\n f.size AS size_bytes\nFROM\n file f\n LEFT JOIN users u ON f.uid = u.uid\n LEFT JOIN groups g ON f.gid = g.gid\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\n"}} +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - !{osquery{"label":"Osquery - Retrieve Running Processes by User","query":"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username"}} +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + - Cron jobs, services, and other persistence mechanisms. + - !{osquery{"label":"Osquery - Retrieve Crontab Information","query":"SELECT * FROM crontab"}} + +### Related Rules + +- Potential Persistence Through MOTD File Creation Detected - 96d11d31-9a79-480f-8401-da28b194608f + +### False positive analysis + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Delete the MOTD files or restore them to the original configuration. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and event.action : ("exec", "exec_event") and +process.parent.executable : ("/etc/update-motd.d/*", "/usr/lib/update-notifier/*") and ( + (process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and ( + (process.args : ("-i", "-l")) or (process.parent.name == "socat" and process.parent.args : "*exec*"))) or + (process.name : ("nc", "ncat", "netcat", "nc.openbsd") and process.args_count >= 3 and + not process.args : ("-*z*", "-*l*")) or + (process.name : "python*" and process.args : "-c" and process.args : ( + "*import*pty*spawn*", "*import*subprocess*call*" + )) or + (process.name : "perl*" and process.args : "-e" and process.args : "*socket*" and process.args : ( + "*exec*", "*system*" + )) or + (process.name : "ruby*" and process.args : ("-e", "-rsocket") and process.args : ( + "*TCPSocket.new*", "*TCPSocket.open*" + )) or + (process.name : "lua*" and process.args : "-e" and process.args : "*socket.tcp*" and process.args : ( + "*io.popen*", "*os.execute*" + )) or + (process.name : "php*" and process.args : "-r" and process.args : "*fsockopen*" and process.args : "*/bin/*sh*") or + (process.name : ("awk", "gawk", "mawk", "nawk") and process.args : "*/inet/tcp/*") or + (process.name in ("openssl", "telnet")) +) and +not (process.parent.args : "--force" or process.args : ("/usr/games/lolcat", "/usr/bin/screenfetch")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-rdp-activex-client-loaded.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-rdp-activex-client-loaded.asciidoc new file mode 100644 index 0000000000..12fb3a45fd --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-rdp-activex-client-loaded.asciidoc @@ -0,0 +1,85 @@ +[[prebuilt-rule-8-11-3-suspicious-rdp-activex-client-loaded]] +=== Suspicious RDP ActiveX Client Loaded + +Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence of RDP lateral movement capability. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +any where host.os.type == "windows" and + (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and + (dll.name : "mstscax.dll" or file.name : "mstscax.dll") and + /* depending on noise in your env add here extra paths */ + process.executable : + ( + "C:\\Windows\\*", + "C:\\Users\\Public\\*", + "C:\\Users\\Default\\*", + "C:\\Intel\\*", + "C:\\PerfLogs\\*", + "C:\\ProgramData\\*", + "\\Device\\Mup\\*", + "\\\\*" + ) and + /* add here FPs */ + not process.executable : ("C:\\Windows\\System32\\mstsc.exe", "C:\\Windows\\SysWOW64\\mstsc.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: Remote Desktop Protocol +** ID: T1021.001 +** Reference URL: https://attack.mitre.org/techniques/T1021/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-remote-registry-access-via-sebackupprivilege.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-remote-registry-access-via-sebackupprivilege.asciidoc new file mode 100644 index 0000000000..d9883d7222 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-remote-registry-access-via-sebackupprivilege.asciidoc @@ -0,0 +1,128 @@ +[[prebuilt-rule-8-11-3-suspicious-remote-registry-access-via-sebackupprivilege]] +=== Suspicious Remote Registry Access via SeBackupPrivilege + +Identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/mpgn/BackupOperatorToDA +* https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp +* https://www.elastic.co/security-labs/detect-credential-access + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Tactic: Credential Access +* Resources: Investigation Guide +* Use Case: Active Directory Monitoring +* Data Source: Active Directory + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Suspicious Remote Registry Access via SeBackupPrivilege + +SeBackupPrivilege is a privilege that allows file content retrieval, designed to enable users to create backup copies of the system. Since it is impossible to make a backup of something you cannot read, this privilege comes at the cost of providing the user with full read access to the file system. This privilege must bypass any access control list (ACL) placed in the system. + +This rule identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate the activities done by the subject user the login session. The field `winlog.event_data.SubjectLogonId` can be used to get this data. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate abnormal behaviors observed by the subject user such as network connections, registry or file modifications, and processes created. +- Investigate if the registry file was retrieved or exfiltrated. + +### False positive analysis + +- If this activity is expected and noisy in your environment, benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Limit or disable the involved user account to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=1m + [iam where event.action == "logged-in-special" and + winlog.event_data.PrivilegeList : "SeBackupPrivilege" and + + /* excluding accounts with existing privileged access */ + not winlog.event_data.PrivilegeList : "SeDebugPrivilege"] + [any where event.action == "Detailed File Share" and winlog.event_data.RelativeTargetName : "winreg"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: Security Account Manager +** ID: T1003.002 +** Reference URL: https://attack.mitre.org/techniques/T1003/002/ +* Sub-technique: +** Name: LSA Secrets +** ID: T1003.004 +** Reference URL: https://attack.mitre.org/techniques/T1003/004/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-renaming-of-esxi-files.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-renaming-of-esxi-files.asciidoc new file mode 100644 index 0000000000..6a6da8efdf --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-renaming-of-esxi-files.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-11-3-suspicious-renaming-of-esxi-files]] +=== Suspicious Renaming of ESXI Files + +Identifies instances where VMware-related files, such as those with extensions like ".vmdk", ".vmx", ".vmxf", ".vmsd", ".vmsn", ".vswp", ".vmss", ".nvram", and ".vmem", are renamed on a Linux system. The rule monitors for the "rename" event action associated with these file types, which could indicate malicious activity. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.action == "rename" and +file.Ext.original.name : ("*.vmdk", "*.vmx", "*.vmxf", "*.vmsd", "*.vmsn", "*.vswp", "*.vmss", "*.nvram", "*.vmem") +and not file.name : ("*.vmdk", "*.vmx", "*.vmxf", "*.vmsd", "*.vmsn", "*.vswp", "*.vmss", "*.nvram", "*.vmem") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Rename System Utilities +** ID: T1036.003 +** Reference URL: https://attack.mitre.org/techniques/T1036/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-renaming-of-esxi-index-html-file.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-renaming-of-esxi-index-html-file.asciidoc new file mode 100644 index 0000000000..8d402d4153 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-renaming-of-esxi-index-html-file.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-8-11-3-suspicious-renaming-of-esxi-index-html-file]] +=== Suspicious Renaming of ESXI index.html File + +Identifies instances where the "index.html" file within the "/usr/lib/vmware/*" directory is renamed on a Linux system. The rule monitors for the "rename" event action associated with this specific file and path, which could indicate malicious activity. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.action == "rename" and file.name : "index.html" and +file.Ext.original.path : "/usr/lib/vmware/*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Rename System Utilities +** ID: T1036.003 +** Reference URL: https://attack.mitre.org/techniques/T1036/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-solarwinds-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-solarwinds-child-process.asciidoc new file mode 100644 index 0000000000..9834c851b4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-solarwinds-child-process.asciidoc @@ -0,0 +1,91 @@ +[[prebuilt-rule-8-11-3-suspicious-solarwinds-child-process]] +=== Suspicious SolarWinds Child Process + +A suspicious SolarWinds child process was detected, which may indicate an attempt to execute malicious programs. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html +* https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name: ("SolarWinds.BusinessLayerHost.exe", "SolarWinds.BusinessLayerHostx64.exe") and + not process.name : ( + "APMServiceControl*.exe", + "ExportToPDFCmd*.Exe", + "SolarWinds.Credentials.Orion.WebApi*.exe", + "SolarWinds.Orion.Topology.Calculator*.exe", + "Database-Maint.exe", + "SolarWinds.Orion.ApiPoller.Service.exe", + "WerFault.exe", + "WerMgr.exe", + "SolarWinds.BusinessLayerHost.exe", + "SolarWinds.BusinessLayerHostx64.exe") and + not process.executable : ("?:\\Windows\\SysWOW64\\ARP.EXE", "?:\\Windows\\SysWOW64\\lodctr.exe", "?:\\Windows\\SysWOW64\\unlodctr.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Native API +** ID: T1106 +** Reference URL: https://attack.mitre.org/techniques/T1106/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Supply Chain Compromise +** ID: T1195 +** Reference URL: https://attack.mitre.org/techniques/T1195/ +* Sub-technique: +** Name: Compromise Software Supply Chain +** ID: T1195.002 +** Reference URL: https://attack.mitre.org/techniques/T1195/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-symbolic-link-created.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-symbolic-link-created.asciidoc new file mode 100644 index 0000000000..93af6f915b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-symbolic-link-created.asciidoc @@ -0,0 +1,92 @@ +[[prebuilt-rule-8-11-3-suspicious-symbolic-link-created]] +=== Suspicious Symbolic Link Created + +Identifies the creation of a symbolic link to a suspicious file or location. A symbolic link is a reference to a file or directory that acts as a pointer or shortcut, allowing users to access the target file or directory from a different location in the file system. An attacker can potentially leverage symbolic links for privilege escalation by tricking a privileged process into following the symbolic link to a sensitive file, giving the attacker access to data or capabilities they would not normally have. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Credential Access +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action in ("exec", "exec_event") and +event.type == "start" and process.name == "ln" and process.args in ("-s", "-sf") and + ( + /* suspicious files */ + (process.args in ("/etc/shadow", "/etc/shadow-", "/etc/shadow~", "/etc/gshadow", "/etc/gshadow-") or + (process.working_directory == "/etc" and process.args in ("shadow", "shadow-", "shadow~", "gshadow", "gshadow-"))) or + + /* suspicious bins */ + (process.args in ("/bin/bash", "/bin/dash", "/bin/sh", "/bin/tcsh", "/bin/csh", "/bin/zsh", "/bin/ksh", "/bin/fish") or + (process.working_directory == "/bin" and process.args : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish"))) or + (process.args in ("/usr/bin/bash", "/usr/bin/dash", "/usr/bin/sh", "/usr/bin/tcsh", "/usr/bin/csh", "/usr/bin/zsh", "/usr/bin/ksh", "/usr/bin/fish") or + (process.working_directory == "/usr/bin" and process.args in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish"))) or + + /* suspicious locations */ + (process.args : ("/etc/cron.d/*", "/etc/cron.daily/*", "/etc/cron.hourly/*", "/etc/cron.weekly/*", "/etc/cron.monthly/*")) or + (process.args : ("/home/*/.ssh/*", "/root/.ssh/*","/etc/sudoers.d/*", "/dev/shm/*")) + ) and + process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and + not user.Ext.real.id == "0" and not group.Ext.real.id == "0" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: /etc/passwd and /etc/shadow +** ID: T1003.008 +** Reference URL: https://attack.mitre.org/techniques/T1003/008/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-system-commands-executed-by-previously-unknown-executable.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-system-commands-executed-by-previously-unknown-executable.asciidoc new file mode 100644 index 0000000000..0bc9e15a01 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-system-commands-executed-by-previously-unknown-executable.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-8-11-3-suspicious-system-commands-executed-by-previously-unknown-executable]] +=== Suspicious System Commands Executed by Previously Unknown Executable + +This rule monitors for the execution of several commonly used system commands executed by a previously unknown executable located in commonly abused directories. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to run malicious code. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise. + +*Rule type*: new_terms + +*Rule indices*: + +* logs-endpoint.events.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 104 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:linux and event.category:process and event.action:(exec or exec_event or fork or fork_event) and +process.executable:( + /bin/* or /usr/bin/* or /usr/share/* or /tmp/* or /var/tmp/* or /dev/shm/* or + /etc/init.d/* or /etc/rc*.d/* or /etc/crontab or /etc/cron.*/* or /etc/update-motd.d/* or + /usr/lib/update-notifier/* or /home/*/.* or /boot/* or /srv/* or /run/*) + and process.args:(whoami or id or hostname or uptime or top or ifconfig or netstat or route or ps or pwd or ls) and + not process.name:(sudo or which or whoami or id or hostname or uptime or top or netstat or ps or pwd or ls or apt or + dpkg or yum or rpm or dnf or dockerd or docker or snapd or snap) and + not process.parent.executable:(/bin/* or /usr/bin/* or /run/k3s/* or /etc/network/* or /opt/Elastic/*) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: Unix Shell +** ID: T1059.004 +** Reference URL: https://attack.mitre.org/techniques/T1059/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-termination-of-esxi-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-termination-of-esxi-process.asciidoc new file mode 100644 index 0000000000..e834e16344 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-termination-of-esxi-process.asciidoc @@ -0,0 +1,62 @@ +[[prebuilt-rule-8-11-3-suspicious-termination-of-esxi-process]] +=== Suspicious Termination of ESXI Process + +Identifies instances where VMware processes, such as "vmware-vmx" or "vmx," are terminated on a Linux system by a "kill" command. The rule monitors for the "end" event type, which signifies the termination of a process. The presence of a "kill" command as the parent process for terminating VMware processes may indicate that a threat actor is attempting to interfere with the virtualized environment on the targeted system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/ + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Impact +* Data Source: Elastic Defend + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.type == "end" and process.name : ("vmware-vmx", "vmx") +and process.parent.name : "kill" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Service Stop +** ID: T1489 +** Reference URL: https://attack.mitre.org/techniques/T1489/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-utility-launched-via-proxychains.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-utility-launched-via-proxychains.asciidoc new file mode 100644 index 0000000000..012da35ad9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-utility-launched-via-proxychains.asciidoc @@ -0,0 +1,65 @@ +[[prebuilt-rule-8-11-3-suspicious-utility-launched-via-proxychains]] +=== Suspicious Utility Launched via ProxyChains + +This rule monitors for the execution of suspicious linux tools through ProxyChains. ProxyChains is a command-line tool that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Command and Control +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process.name == "proxychains" and process.args : ( + "ssh", "sshd", "sshuttle", "socat", "iodine", "iodined", "dnscat", "hans", "hans-ubuntu", "ptunnel-ng", + "ssf", "3proxy", "ngrok", "gost", "pivotnacci", "chisel*", "nmap", "ping", "python*", "php*", "perl", "ruby", + "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "java", "telnet", "ftp", "curl", "wget") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Protocol Tunneling +** ID: T1572 +** Reference URL: https://attack.mitre.org/techniques/T1572/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-werfault-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-werfault-child-process.asciidoc new file mode 100644 index 0000000000..0df2c76a47 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-werfault-child-process.asciidoc @@ -0,0 +1,101 @@ +[[prebuilt-rule-8-11-3-suspicious-werfault-child-process]] +=== Suspicious WerFault Child Process + +A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/ +* https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/ +* https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +* http://web.archive.org/web/20230530011556/https://blog.menasec.net/2021/01/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Persistence +* Tactic: Privilege Escalation +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 110 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + + process.parent.name : "WerFault.exe" and + + /* args -s and -t used to execute a process via SilentProcessExit mechanism */ + (process.parent.args : "-s" and process.parent.args : "-t" and process.parent.args : "-c") and + + not process.executable : ("?:\\Windows\\SysWOW64\\Initcrypt.exe", "?:\\Program Files (x86)\\Heimdal\\Heimdal.Guard.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Image File Execution Options Injection +** ID: T1546.012 +** Reference URL: https://attack.mitre.org/techniques/T1546/012/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Image File Execution Options Injection +** ID: T1546.012 +** Reference URL: https://attack.mitre.org/techniques/T1546/012/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-wmi-image-load-from-ms-office.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-wmi-image-load-from-ms-office.asciidoc new file mode 100644 index 0000000000..6ce66c198b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-suspicious-wmi-image-load-from-ms-office.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-11-3-suspicious-wmi-image-load-from-ms-office]] +=== Suspicious WMI Image Load from MS Office + +Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +any where host.os.type == "windows" and + (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and + process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and + (dll.name : "wmiutils.dll" or file.name : "wmiutils.dll") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Windows Management Instrumentation +** ID: T1047 +** Reference URL: https://attack.mitre.org/techniques/T1047/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-svchost-spawning-cmd.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-svchost-spawning-cmd.asciidoc new file mode 100644 index 0000000000..0659415d13 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-svchost-spawning-cmd.asciidoc @@ -0,0 +1,123 @@ +[[prebuilt-rule-8-11-3-svchost-spawning-cmd]] +=== Svchost spawning Cmd + +Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe + +*Rule type*: new_terms + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 208 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Svchost spawning Cmd + +The Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services. + +This rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +host.os.type:windows and event.category:process and event.type:start and process.parent.name:"svchost.exe" and +process.name.caseless:"cmd.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-symbolic-link-to-shadow-copy-created.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-symbolic-link-to-shadow-copy-created.asciidoc new file mode 100644 index 0000000000..3002c4cd25 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-symbolic-link-to-shadow-copy-created.asciidoc @@ -0,0 +1,128 @@ +[[prebuilt-rule-8-11-3-symbolic-link-to-shadow-copy-created]] +=== Symbolic Link to Shadow Copy Created + +Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow copy, including sensitive files such as ntds.dit, System Boot Key and browser offline credentials. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink +* https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf +* https://blog.netwrix.com/2021/11/30/extracting-password-hashes-from-the-ntds-dit-file/ +* https://www.hackingarticles.in/credential-dumping-ntds-dit/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Symbolic Link to Shadow Copy Created + +Shadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is needed to extract these hashes and potentially conduct lateral movement. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Determine if a volume shadow copy was recently created on this endpoint. +- Review privileges of the end user as this requires administrative access. +- Verify if the ntds.dit file was successfully copied and determine its copy destination. +- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe. +- Investigate recent deletions of volume shadow copies. +- Identify other files potentially copied from volume shadow copy paths directly. + +### False positive analysis + +- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Related rules + +- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- If the entire domain or the `krbtgt` user was compromised: + - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user. +- Locate and remove static files copied from volume shadow copies. +- Command-Line tool mklink should require administrative access by default unless in developer mode. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.pe.original_file_name in ("Cmd.Exe","PowerShell.EXE") and + + /* Create Symbolic Link to Shadow Copies */ + process.args : ("*mklink*", "*SymbolicLink*") and process.command_line : ("*HarddiskVolumeShadowCopy*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: Security Account Manager +** ID: T1003.002 +** Reference URL: https://attack.mitre.org/techniques/T1003/002/ +* Sub-technique: +** Name: NTDS +** ID: T1003.003 +** Reference URL: https://attack.mitre.org/techniques/T1003/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-system-binary-copied-and-or-moved-to-suspicious-directory.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-system-binary-copied-and-or-moved-to-suspicious-directory.asciidoc new file mode 100644 index 0000000000..9e33266bf7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-system-binary-copied-and-or-moved-to-suspicious-directory.asciidoc @@ -0,0 +1,93 @@ +[[prebuilt-rule-8-11-3-system-binary-copied-and-or-moved-to-suspicious-directory]] +=== System Binary Copied and/or Moved to Suspicious Directory + +This rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity should be investigated. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan=1s + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.name in ("cp", "mv") and process.args : ( + // Shells + "/bin/*sh", "/usr/bin/*sh", + + // Interpreters + "/bin/python*", "/usr/bin/python*", "/bin/php*", "/usr/bin/php*", "/bin/ruby*", "/usr/bin/ruby*", "/bin/perl*", + "/usr/bin/perl*", "/bin/lua*", "/usr/bin/lua*", "/bin/java*", "/usr/bin/java*", + + // Compilers + "/bin/gcc*", "/usr/bin/gcc*", "/bin/g++*", "/usr/bin/g++*", "/bin/cc", "/usr/bin/cc", + + // Suspicious utilities + "/bin/nc", "/usr/bin/nc", "/bin/ncat", "/usr/bin/ncat", "/bin/netcat", "/usr/bin/netcat", "/bin/nc.openbsd", + "/usr/bin/nc.openbsd", "/bin/*awk", "/usr/bin/*awk", "/bin/socat", "/usr/bin/socat", "/bin/openssl", + "/usr/bin/openssl", "/bin/telnet", "/usr/bin/telnet", "/bin/mkfifo", "/usr/bin/mkfifo", "/bin/mknod", + "/usr/bin/mknod", "/bin/ping*", "/usr/bin/ping*", "/bin/nmap", "/usr/bin/nmap", + + // System utilities + "/bin/ls", "/usr/bin/ls", "/bin/cat", "/usr/bin/cat", "/bin/sudo", "/usr/bin/sudo", "/bin/curl", "/usr/bin/curl", + "/bin/wget", "/usr/bin/wget", "/bin/tmux", "/usr/bin/tmux", "/bin/screen", "/usr/bin/screen", "/bin/ssh", + "/usr/bin/ssh", "/bin/ftp", "/usr/bin/ftp" + ) and not process.parent.name in ("dracut-install", "apticron", "generate-from-dir", "platform-python")] + [file where host.os.type == "linux" and event.action == "creation" and file.path : ( + "/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*" + )] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Rename System Utilities +** ID: T1036.003 +** Reference URL: https://attack.mitre.org/techniques/T1036/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-system-log-file-deletion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-system-log-file-deletion.asciidoc new file mode 100644 index 0000000000..414b01c6b7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-system-log-file-deletion.asciidoc @@ -0,0 +1,83 @@ +[[prebuilt-rule-8-11-3-system-log-file-deletion]] +=== System Log File Deletion + +Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "linux" and event.type == "deletion" and + file.path : + ( + "/var/run/utmp", + "/var/log/wtmp", + "/var/log/btmp", + "/var/log/lastlog", + "/var/log/faillog", + "/var/log/syslog", + "/var/log/messages", + "/var/log/secure", + "/var/log/auth.log", + "/var/log/boot.log", + "/var/log/kern.log" + ) and + not process.name in ("gzip", "executor", "dockerd") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: Clear Linux or Mac System Logs +** ID: T1070.002 +** Reference URL: https://attack.mitre.org/techniques/T1070/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-tampering-of-bash-command-line-history.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-tampering-of-bash-command-line-history.asciidoc new file mode 100644 index 0000000000..5cbc8be4b5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-tampering-of-bash-command-line-history.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-8-11-3-tampering-of-bash-command-line-history]] +=== Tampering of Bash Command-Line History + +Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 104 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type in ("start", "process_started") and + ( + ((process.args : ("rm", "echo") or + (process.args : "ln" and process.args : "-sf" and process.args : "/dev/null") or + (process.args : "truncate" and process.args : "-s0")) + and process.args : (".bash_history", "/root/.bash_history", "/home/*/.bash_history","/Users/.bash_history", "/Users/*/.bash_history", + ".zsh_history", "/root/.zsh_history", "/home/*/.zsh_history", "/Users/.zsh_history", "/Users/*/.zsh_history")) or + (process.name : "history" and process.args : "-c") or + (process.args : "export" and process.args : ("HISTFILE=/dev/null", "HISTFILESIZE=0")) or + (process.args : "unset" and process.args : "HISTFILE") or + (process.args : "set" and process.args : "history" and process.args : "+o") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: Clear Command History +** ID: T1070.003 +** Reference URL: https://attack.mitre.org/techniques/T1070/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-third-party-backup-files-deleted-via-unexpected-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-third-party-backup-files-deleted-via-unexpected-process.asciidoc new file mode 100644 index 0000000000..91bc4e50fa --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-third-party-backup-files-deleted-via-unexpected-process.asciidoc @@ -0,0 +1,133 @@ +[[prebuilt-rule-8-11-3-third-party-backup-files-deleted-via-unexpected-process]] +=== Third-party Backup Files Deleted via Unexpected Process + +Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Impact +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Third-party Backup Files Deleted via Unexpected Process + +Backups are a significant obstacle for any ransomware operation. They allow the victim to resume business by performing data recovery, making them a valuable target. + +Attackers can delete backups from the host and gain access to backup servers to remove centralized backups for the environment, ensuring that victims have no alternatives to paying the ransom. + +This rule identifies file deletions performed by a process that does not belong to the backup suite and aims to delete Veritas or Veeam backups. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check if any files on the host machine have been encrypted. + +### False positive analysis + +- This rule can be triggered by the manual removal of backup files and by removal using other third-party tools that are not from the backup suite. Exceptions can be added for specific accounts and executables, preferably tied together. + +### Related rules + +- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59 +- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921 +- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4 +- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity. +- Perform data recovery locally or restore the backups from replicated copies (Cloud, other servers, etc.). +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type == "deletion" and + ( + /* Veeam Related Backup Files */ + (file.extension : ("VBK", "VIB", "VBM") and + not ( + process.executable : ("?:\\Windows\\*", "?:\\Program Files\\*", "?:\\Program Files (x86)\\*") and + (process.code_signature.trusted == true and process.code_signature.subject_name : "Veeam Software Group GmbH") + )) or + + /* Veritas Backup Exec Related Backup File */ + (file.extension : "BKF" and + not process.executable : ("?:\\Program Files\\Veritas\\Backup Exec\\*", + "?:\\Program Files (x86)\\Veritas\\Backup Exec\\*") and + not file.path : ("?:\\ProgramData\\Trend Micro\\*", + "?:\\Program Files (x86)\\Trend Micro\\*", + "?:\\$RECYCLE.BIN\\*")) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Inhibit System Recovery +** ID: T1490 +** Reference URL: https://attack.mitre.org/techniques/T1490/ +* Technique: +** Name: Data Destruction +** ID: T1485 +** Reference URL: https://attack.mitre.org/techniques/T1485/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-threat-intel-hash-indicator-match.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-threat-intel-hash-indicator-match.asciidoc new file mode 100644 index 0000000000..4e860f9c4e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-threat-intel-hash-indicator-match.asciidoc @@ -0,0 +1,116 @@ +[[prebuilt-rule-8-11-3-threat-intel-hash-indicator-match]] +=== Threat Intel Hash Indicator Match + +This rule is triggered when a hash indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains file hashes, such as antivirus alerts, process creation, library load, and file operation events. + +*Rule type*: threat_match + +*Rule indices*: + +* auditbeat-* +* endgame-* +* filebeat-* +* logs-* +* winlogbeat-* + +*Severity*: critical + +*Risk score*: 99 + +*Runs every*: 1h + +*Searches indices from*: now-65m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html +* https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html +* https://www.elastic.co/security/tip + +*Tags*: + +* OS: Windows +* Data Source: Elastic Endgame +* Rule Type: Indicator Match + +*Version*: 5 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and Analysis + +### Investigating Threat Intel Hash Indicator Match + +Threat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. + +Matches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation. + +This rule is triggered when a hash indicator from the Threat Intel Filebeat module or an indicator ingested from a threat intelligence integration matches against an event that contains file hashes, such as antivirus alerts, file operation events, etc. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Gain context about the field that matched the local observation. This information can be found in the `threat.indicator.matched.field` field. +- Investigate the hash , which can be found in the `threat.indicator.matched.atomic` field: + - Search for the existence and reputation of the hash in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + - Scope other potentially compromised hosts in your environment by mapping hosts with file operations involving the same hash. +- Identify the process that created the file. + - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. + - Enrich the information that you have right now by determining how the file was dropped, where it was downloaded from, etc. This can help you determine if the event is part of an ongoing campaign against the organization. +- Retrieve the involved file and examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} +- Using the data collected through the analysis, scope users targeted and other machines infected in the environment. + +### False Positive Analysis + +- Adversaries often use legitimate tools as network administrators, such as `PsExec` or `AdFind`. These tools are often included in indicator lists, which creates the potential for false positives. + +### Response and Remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file.hash.*:* or process.hash.*:* or dll.hash.*:* + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-threat-intel-ip-address-indicator-match.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-threat-intel-ip-address-indicator-match.asciidoc new file mode 100644 index 0000000000..67a4f63338 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-threat-intel-ip-address-indicator-match.asciidoc @@ -0,0 +1,118 @@ +[[prebuilt-rule-8-11-3-threat-intel-ip-address-indicator-match]] +=== Threat Intel IP Address Indicator Match + +This rule is triggered when an IP address indicator from the Threat Intel Filebeat module or integrations has a match against a network event. + +*Rule type*: threat_match + +*Rule indices*: + +* auditbeat-* +* endgame-* +* filebeat-* +* logs-* +* packetbeat-* +* winlogbeat-* + +*Severity*: critical + +*Risk score*: 99 + +*Runs every*: 1h + +*Searches indices from*: now-65m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html +* https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html +* https://www.elastic.co/security/tip + +*Tags*: + +* OS: Windows +* Data Source: Elastic Endgame +* Rule Type: Indicator Match + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and Analysis + +### Investigating Threat Intel IP Address Indicator Match + +Threat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. + +Matches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation. + +This rule is triggered when an IP address indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against a network event. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Gain context about the field that matched the local observation so you can understand the nature of the connection. This information can be found in the `threat.indicator.matched.field` field. +- Investigate the IP address, which can be found in the `threat.indicator.matched.atomic` field: + - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + - Execute a reverse DNS lookup to retrieve hostnames associated with the given IP address. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Identify the process responsible for the connection, and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} +- Using the data collected through the analysis, scope users targeted and other machines infected in the environment. + +### False Positive Analysis + +- When a match is found, it's important to consider the indicator's initial release date. Threat intelligence is useful for augmenting existing security processes but can quickly become outdated. In other words, some threat intelligence only represents a specific set of activity observed at a specific time. For example, an IP address may have hosted malware observed in a Dridex campaign months ago, but it's possible that IP has been remediated and no longer represents any threat. +- False positives might occur after large and publicly written campaigns if curious employees interact with attacker infrastructure. +- Some feeds may include internal or known benign addresses by mistake (e.g., 8.8.8.8, google.com, 127.0.0.1, etc.). Make sure you understand how blocking a specific domain or address might impact the organization or normal system functioning. + +### Response and Remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +source.ip:* or destination.ip:* + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-threat-intel-url-indicator-match.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-threat-intel-url-indicator-match.asciidoc new file mode 100644 index 0000000000..e13842c1bc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-threat-intel-url-indicator-match.asciidoc @@ -0,0 +1,121 @@ +[[prebuilt-rule-8-11-3-threat-intel-url-indicator-match]] +=== Threat Intel URL Indicator Match + +This rule is triggered when a URL indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains URL data, like DNS events, network logs, etc. + +*Rule type*: threat_match + +*Rule indices*: + +* auditbeat-* +* endgame-* +* filebeat-* +* logs-* +* packetbeat-* +* winlogbeat-* + +*Severity*: critical + +*Risk score*: 99 + +*Runs every*: 1h + +*Searches indices from*: now-65m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html +* https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html +* https://www.elastic.co/security/tip + +*Tags*: + +* OS: Windows +* Data Source: Elastic Endgame +* Rule Type: Indicator Match + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and Analysis + +### Investigating Threat Intel URL Indicator Match + +Threat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. + +Matches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation. + +This rule is triggered when a URL indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against an event that contains URL data, like DNS events, network logs, etc. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the URL, which can be found in the `threat.indicator.matched.atomic` field: + - Identify the type of malicious activity related to the URL (phishing, malware, etc.). + - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + - Execute a WHOIS lookup to retrieve information about the domain registration and contacts to report abuse. + - If dealing with a phishing incident: + - Contact the user to gain more information around the delivery method, information sent, etc. + - Analyze whether the URL is trying to impersonate a legitimate address. Look for typosquatting, extra or unusual subdomains, or other anomalies that could lure the user. + - Investigate the phishing page to identify which information may have been sent to the attacker by the user. +- Identify the process responsible for the connection, and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} +- Using the data collected through the analysis, scope users targeted and other machines infected in the environment. + +### False Positive Analysis + +- False positives might occur after large and publicly written campaigns if curious employees interact with attacker infrastructure. +- Some feeds may include internal or known benign addresses by mistake (e.g., 8.8.8.8, google.com, 127.0.0.1, etc.). Make sure you understand how blocking a specific domain or address might impact the organization or normal system functioning. + +### Response and Remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Consider reporting the address for abuse using the provided contact information. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +url.full:* + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-threat-intel-windows-registry-indicator-match.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-threat-intel-windows-registry-indicator-match.asciidoc new file mode 100644 index 0000000000..b26b9edbc9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-threat-intel-windows-registry-indicator-match.asciidoc @@ -0,0 +1,111 @@ +[[prebuilt-rule-8-11-3-threat-intel-windows-registry-indicator-match]] +=== Threat Intel Windows Registry Indicator Match + +This rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains registry data. + +*Rule type*: threat_match + +*Rule indices*: + +* auditbeat-* +* endgame-* +* filebeat-* +* logs-* +* winlogbeat-* + +*Severity*: critical + +*Risk score*: 99 + +*Runs every*: 1h + +*Searches indices from*: now-65m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html +* https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html +* https://www.elastic.co/security/tip + +*Tags*: + +* OS: Windows +* Data Source: Elastic Endgame +* Rule Type: Indicator Match + +*Version*: 4 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and Analysis + +### Investigating Threat Intel Windows Registry Indicator Match + +Threat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. + +Matches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation. + +This rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against an event that contains registry data. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Check related threat reports to gain context about the registry indicator of compromise (IoC) and to understand if it's a system-native mechanism abused for persistence, to store data, to disable security mechanisms, etc. Use this information to define the appropriate triage and respond steps. +- Identify the process responsible for the registry operation and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} +- Using the data collected through the analysis, scope users targeted and other machines infected in the environment. + +### False Positive Analysis + +- Adversaries can leverage dual-use registry mechanisms that are commonly used by normal applications. These registry keys can be added into indicator lists creating the potential for false positives. + +### Response and Remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry.path:* + +---------------------------------- diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-timestomping-using-touch-command.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-timestomping-using-touch-command.asciidoc new file mode 100644 index 0000000000..211cc175b1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-timestomping-using-touch-command.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-11-3-timestomping-using-touch-command]] +=== Timestomping using Touch Command + +Timestomping is an anti-forensics technique which is used to modify the timestamps of a file, often to mimic files that are in the same folder. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 33 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 104 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + process.name : "touch" and user.id != "0" and + process.args : ("-r", "-t", "-a*","-m*") and + not process.args : ("/usr/lib/go-*/bin/go", "/usr/lib/dracut/dracut-functions.sh", "/tmp/KSInstallAction.*/m/.patch/*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ +* Sub-technique: +** Name: Timestomp +** ID: T1070.006 +** Reference URL: https://attack.mitre.org/techniques/T1070/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-uac-bypass-attempt-via-elevated-com-internet-explorer-add-on-installer.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-uac-bypass-attempt-via-elevated-com-internet-explorer-add-on-installer.asciidoc new file mode 100644 index 0000000000..565e01a6ba --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-uac-bypass-attempt-via-elevated-com-internet-explorer-add-on-installer.asciidoc @@ -0,0 +1,100 @@ +[[prebuilt-rule-8-11-3-uac-bypass-attempt-via-elevated-com-internet-explorer-add-on-installer]] +=== UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer + +Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.executable : "C:\\*\\AppData\\*\\Temp\\IDC*.tmp\\*.exe" and + process.parent.name : "ieinstal.exe" and process.parent.args : "-Embedding" + + /* uncomment once in winlogbeat */ + /* and not (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true) */ + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Inter-Process Communication +** ID: T1559 +** Reference URL: https://attack.mitre.org/techniques/T1559/ +* Sub-technique: +** Name: Component Object Model +** ID: T1559.001 +** Reference URL: https://attack.mitre.org/techniques/T1559/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-uac-bypass-attempt-via-privileged-ifileoperation-com-interface.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-uac-bypass-attempt-via-privileged-ifileoperation-com-interface.asciidoc new file mode 100644 index 0000000000..d5f362c53f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-uac-bypass-attempt-via-privileged-ifileoperation-com-interface.asciidoc @@ -0,0 +1,95 @@ +[[prebuilt-rule-8-11-3-uac-bypass-attempt-via-privileged-ifileoperation-com-interface]] +=== UAC Bypass Attempt via Privileged IFileOperation COM Interface + +Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/hfiref0x/UACME +* https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type : "change" and process.name : "dllhost.exe" and + /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */ + file.name : ("wow64log.dll", "comctl32.dll", "DismCore.dll", "OskSupport.dll", "duser.dll", "Accessibility.ni.dll") and + /* has no impact on rule logic just to avoid OS install related FPs */ + not file.path : ("C:\\Windows\\SoftwareDistribution\\*", "C:\\Windows\\WinSxS\\*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: DLL Side-Loading +** ID: T1574.002 +** Reference URL: https://attack.mitre.org/techniques/T1574/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-uac-bypass-attempt-via-windows-directory-masquerading.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-uac-bypass-attempt-via-windows-directory-masquerading.asciidoc new file mode 100644 index 0000000000..ce4ac0469b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-uac-bypass-attempt-via-windows-directory-masquerading.asciidoc @@ -0,0 +1,153 @@ +[[prebuilt-rule-8-11-3-uac-bypass-attempt-via-windows-directory-masquerading]] +=== UAC Bypass Attempt via Windows Directory Masquerading + +Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating UAC Bypass Attempt via Windows Directory Masquerading + +Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted. + +For more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works). + +This rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze any suspicious spawned processes using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.args : ("C:\\Windows \\system32\\*.exe", "C:\\Windows \\SysWOW64\\*.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Match Legitimate Name or Location +** ID: T1036.005 +** Reference URL: https://attack.mitre.org/techniques/T1036/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-uac-bypass-attempt-with-ieditionupgrademanager-elevated-com-interface.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-uac-bypass-attempt-with-ieditionupgrademanager-elevated-com-interface.asciidoc new file mode 100644 index 0000000000..1dc1812dde --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-uac-bypass-attempt-with-ieditionupgrademanager-elevated-com-interface.asciidoc @@ -0,0 +1,98 @@ +[[prebuilt-rule-8-11-3-uac-bypass-attempt-with-ieditionupgrademanager-elevated-com-interface]] +=== UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface + +Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/hfiref0x/UACME + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and process.name : "Clipup.exe" and + not process.executable : "C:\\Windows\\System32\\ClipUp.exe" and process.parent.name : "dllhost.exe" and + /* CLSID of the Elevated COM Interface IEditionUpgradeManager */ + process.parent.args : "/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Inter-Process Communication +** ID: T1559 +** Reference URL: https://attack.mitre.org/techniques/T1559/ +* Sub-technique: +** Name: Component Object Model +** ID: T1559.001 +** Reference URL: https://attack.mitre.org/techniques/T1559/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-uac-bypass-via-diskcleanup-scheduled-task-hijack.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-uac-bypass-via-diskcleanup-scheduled-task-hijack.asciidoc new file mode 100644 index 0000000000..917d682533 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-uac-bypass-via-diskcleanup-scheduled-task-hijack.asciidoc @@ -0,0 +1,97 @@ +[[prebuilt-rule-8-11-3-uac-bypass-via-diskcleanup-scheduled-task-hijack]] +=== UAC Bypass via DiskCleanup Scheduled Task Hijack + +Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.args : "/autoclean" and process.args : "/d" and + not process.executable : ("C:\\Windows\\System32\\cleanmgr.exe", + "C:\\Windows\\SysWOW64\\cleanmgr.exe", + "C:\\Windows\\System32\\taskhostw.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Scheduled Task +** ID: T1053.005 +** Reference URL: https://attack.mitre.org/techniques/T1053/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-uac-bypass-via-icmluautil-elevated-com-interface.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-uac-bypass-via-icmluautil-elevated-com-interface.asciidoc new file mode 100644 index 0000000000..645cb10c93 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-uac-bypass-via-icmluautil-elevated-com-interface.asciidoc @@ -0,0 +1,96 @@ +[[prebuilt-rule-8-11-3-uac-bypass-via-icmluautil-elevated-com-interface]] +=== UAC Bypass via ICMLuaUtil Elevated COM Interface + +Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name == "dllhost.exe" and + process.parent.args in ("/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}", "/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}") and + process.pe.original_file_name != "WerFault.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Inter-Process Communication +** ID: T1559 +** Reference URL: https://attack.mitre.org/techniques/T1559/ +* Sub-technique: +** Name: Component Object Model +** ID: T1559.001 +** Reference URL: https://attack.mitre.org/techniques/T1559/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-uac-bypass-via-windows-firewall-snap-in-hijack.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-uac-bypass-via-windows-firewall-snap-in-hijack.asciidoc new file mode 100644 index 0000000000..67366db113 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-uac-bypass-via-windows-firewall-snap-in-hijack.asciidoc @@ -0,0 +1,156 @@ +[[prebuilt-rule-8-11-3-uac-bypass-via-windows-firewall-snap-in-hijack]] +=== UAC Bypass via Windows Firewall Snap-In Hijack + +Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/AzAgarampur/byeintegrity-uac + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating UAC Bypass via Windows Firewall Snap-In Hijack + +Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted. + +For more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works). + +This rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze any suspicious spawned processes using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name == "mmc.exe" and + /* process.Ext.token.integrity_level_name == "high" can be added in future for tuning */ + /* args of the Windows Firewall SnapIn */ + process.parent.args == "WF.msc" and process.name != "WerFault.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Bypass User Account Control +** ID: T1548.002 +** Reference URL: https://attack.mitre.org/techniques/T1548/002/ +* Technique: +** Name: System Binary Proxy Execution +** ID: T1218 +** Reference URL: https://attack.mitre.org/techniques/T1218/ +* Sub-technique: +** Name: MMC +** ID: T1218.014 +** Reference URL: https://attack.mitre.org/techniques/T1218/014/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unexpected-child-process-of-macos-screensaver-engine.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unexpected-child-process-of-macos-screensaver-engine.asciidoc new file mode 100644 index 0000000000..58fdde6cab --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unexpected-child-process-of-macos-screensaver-engine.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-8-11-3-unexpected-child-process-of-macos-screensaver-engine]] +=== Unexpected Child Process of macOS Screensaver Engine + +Identifies when a child process is spawned by the screensaver engine process, which is consistent with an attacker's malicious payload being executed after the screensaver activated on the endpoint. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://posts.specterops.io/saving-your-access-d562bf5bf90b +* https://github.com/D00MFist/PersistentJXA + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +- Analyze the descendant processes of the ScreenSaverEngine process for malicious code and suspicious behavior such +as a download of a payload from a server. +- Review the installed and activated screensaver on the host. Triage the screensaver (.saver) file that was triggered to +identify whether the file is malicious or not. + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type == "start" and process.parent.name == "ScreenSaverEngine" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Screensaver +** ID: T1546.002 +** Reference URL: https://attack.mitre.org/techniques/T1546/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unsigned-dll-side-loading-from-a-suspicious-folder.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unsigned-dll-side-loading-from-a-suspicious-folder.asciidoc new file mode 100644 index 0000000000..161a9a3e0e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unsigned-dll-side-loading-from-a-suspicious-folder.asciidoc @@ -0,0 +1,153 @@ +[[prebuilt-rule-8-11-3-unsigned-dll-side-loading-from-a-suspicious-folder]] +=== Unsigned DLL Side-Loading from a Suspicious Folder + +Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed processes. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 6 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +library where host.os.type == "windows" and + + process.code_signature.trusted == true and + + (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500) and + + not dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*", "errorChaining") and + + /* Suspicious Paths */ + dll.path : ("?:\\PerfLogs\\*.dll", + "?:\\Users\\*\\Pictures\\*.dll", + "?:\\Users\\*\\Music\\*.dll", + "?:\\Users\\Public\\*.dll", + "?:\\Users\\*\\Documents\\*.dll", + "?:\\Windows\\Tasks\\*.dll", + "?:\\Windows\\System32\\Tasks\\*.dll", + "?:\\Intel\\*.dll", + "?:\\AMD\\Temp\\*.dll", + "?:\\Windows\\AppReadiness\\*.dll", + "?:\\Windows\\ServiceState\\*.dll", + "?:\\Windows\\security\\*.dll", + "?:\\Windows\\System\\*.dll", + "?:\\Windows\\IdentityCRL\\*.dll", + "?:\\Windows\\Branding\\*.dll", + "?:\\Windows\\csc\\*.dll", + "?:\\Windows\\DigitalLocker\\*.dll", + "?:\\Windows\\en-US\\*.dll", + "?:\\Windows\\wlansvc\\*.dll", + "?:\\Windows\\Prefetch\\*.dll", + "?:\\Windows\\Fonts\\*.dll", + "?:\\Windows\\diagnostics\\*.dll", + "?:\\Windows\\TAPI\\*.dll", + "?:\\Windows\\INF\\*.dll", + "?:\\windows\\tracing\\*.dll", + "?:\\windows\\IME\\*.dll", + "?:\\Windows\\Performance\\*.dll", + "?:\\windows\\intel\\*.dll", + "?:\\windows\\ms\\*.dll", + "?:\\Windows\\dot3svc\\*.dll", + "?:\\Windows\\ServiceProfiles\\*.dll", + "?:\\Windows\\panther\\*.dll", + "?:\\Windows\\RemotePackages\\*.dll", + "?:\\Windows\\OCR\\*.dll", + "?:\\Windows\\appcompat\\*.dll", + "?:\\Windows\\apppatch\\*.dll", + "?:\\Windows\\addins\\*.dll", + "?:\\Windows\\Setup\\*.dll", + "?:\\Windows\\Help\\*.dll", + "?:\\Windows\\SKB\\*.dll", + "?:\\Windows\\Vss\\*.dll", + "?:\\Windows\\Web\\*.dll", + "?:\\Windows\\servicing\\*.dll", + "?:\\Windows\\CbsTemp\\*.dll", + "?:\\Windows\\Logs\\*.dll", + "?:\\Windows\\WaaS\\*.dll", + "?:\\Windows\\twain_32\\*.dll", + "?:\\Windows\\ShellExperiences\\*.dll", + "?:\\Windows\\ShellComponents\\*.dll", + "?:\\Windows\\PLA\\*.dll", + "?:\\Windows\\Migration\\*.dll", + "?:\\Windows\\debug\\*.dll", + "?:\\Windows\\Cursors\\*.dll", + "?:\\Windows\\Containers\\*.dll", + "?:\\Windows\\Boot\\*.dll", + "?:\\Windows\\bcastdvr\\*.dll", + "?:\\Windows\\TextInput\\*.dll", + "?:\\Windows\\schemas\\*.dll", + "?:\\Windows\\SchCache\\*.dll", + "?:\\Windows\\Resources\\*.dll", + "?:\\Windows\\rescache\\*.dll", + "?:\\Windows\\Provisioning\\*.dll", + "?:\\Windows\\PrintDialog\\*.dll", + "?:\\Windows\\PolicyDefinitions\\*.dll", + "?:\\Windows\\media\\*.dll", + "?:\\Windows\\Globalization\\*.dll", + "?:\\Windows\\L2Schemas\\*.dll", + "?:\\Windows\\LiveKernelReports\\*.dll", + "?:\\Windows\\ModemLogs\\*.dll", + "?:\\Windows\\ImmersiveControlPanel\\*.dll", + "?:\\$Recycle.Bin\\*.dll") and + + /* DLL loaded from the process.executable current directory */ + endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1))) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Sub-technique: +** Name: Invalid Code Signature +** ID: T1036.001 +** Reference URL: https://attack.mitre.org/techniques/T1036/001/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: DLL Side-Loading +** ID: T1574.002 +** Reference URL: https://attack.mitre.org/techniques/T1574/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-child-process-from-a-system-virtual-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-child-process-from-a-system-virtual-process.asciidoc new file mode 100644 index 0000000000..5b671d7856 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-child-process-from-a-system-virtual-process.asciidoc @@ -0,0 +1,65 @@ +[[prebuilt-rule-8-11-3-unusual-child-process-from-a-system-virtual-process]] +=== Unusual Child Process from a System Virtual Process + +Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.pid == 4 and + not process.executable : ("Registry", "MemCompression", "?:\\Windows\\System32\\smss.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-child-process-of-dns-exe.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-child-process-of-dns-exe.asciidoc new file mode 100644 index 0000000000..e049b94697 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-child-process-of-dns-exe.asciidoc @@ -0,0 +1,115 @@ +[[prebuilt-rule-8-11-3-unusual-child-process-of-dns-exe]] +=== Unusual Child Process of dns.exe + +Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/ +* https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/ +* https://github.com/maxpl0it/CVE-2020-1350-DoS +* https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Unusual Child Process of dns.exe + +SIGRed (CVE-2020-1350) is a wormable, critical vulnerability in the Windows DNS server that affects Windows Server versions 2003 to 2019 and can be triggered by a malicious DNS response. Because the service is running in elevated privileges (SYSTEM), an attacker that successfully exploits it is granted Domain Administrator rights. This can effectively compromise the entire corporate infrastructure. + +This rule looks for unusual children of the `dns.exe` process, which can indicate the exploitation of the SIGRed or a similar remote code execution vulnerability in the DNS server. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. + - Any suspicious or abnormal child process spawned from dns.exe should be carefully reviewed and investigated. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (`whoami.exe`, `netstat.exe`, `systeminfo.exe`, `tasklist.exe`). + - Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: `mshta.exe`, `powershell.exe`, `regsvr32.exe`, `rundll32.exe`, `wscript.exe`, `wmic.exe`. + - If a denial-of-service (DoS) exploit is successful and DNS Server service crashes, be mindful of potential child processes related to `werfault.exe` occurring. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Investigate other alerts associated with the host during the past 48 hours. +- Check whether the server is vulnerable to CVE-2020-1350. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Reimage the host operating system or restore the compromised server to a clean state. +- Install the latest patches on systems that run Microsoft DNS Server. +- Consider the implementation of a patch management system, such as the Windows Server Update Services (WSUS). +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Review the privileges assigned to the user to ensure that the least privilege principle is being followed. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and process.parent.name : "dns.exe" and + not process.name : "conhost.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-executable-file-creation-by-a-system-critical-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-executable-file-creation-by-a-system-critical-process.asciidoc new file mode 100644 index 0000000000..9d8aa509c3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-executable-file-creation-by-a-system-critical-process.asciidoc @@ -0,0 +1,141 @@ +[[prebuilt-rule-8-11-3-unusual-executable-file-creation-by-a-system-critical-process]] +=== Unusual Executable File Creation by a System Critical Process + +Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Unusual Executable File Creation by a System Critical Process + +Windows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is file operations. + +This rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation of a vulnerability or a malicious process masquerading as a system-critical process. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type != "deletion" and + file.extension : ("exe", "dll") and + process.name : ("smss.exe", + "autochk.exe", + "csrss.exe", + "wininit.exe", + "services.exe", + "lsass.exe", + "winlogon.exe", + "userinit.exe", + "LogonUI.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Exploitation for Defense Evasion +** ID: T1211 +** Reference URL: https://attack.mitre.org/techniques/T1211/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Exploitation for Client Execution +** ID: T1203 +** Reference URL: https://attack.mitre.org/techniques/T1203/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-file-creation-alternate-data-stream.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-file-creation-alternate-data-stream.asciidoc new file mode 100644 index 0000000000..9e9c49285c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-file-creation-alternate-data-stream.asciidoc @@ -0,0 +1,191 @@ +[[prebuilt-rule-8-11-3-unusual-file-creation-alternate-data-stream]] +=== Unusual File Creation - Alternate Data Stream + +Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 112 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Unusual File Creation - Alternate Data Stream + +Alternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute. + +The regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream. + +Attackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this: + - `Get-Content C:\Path\To\file.exe -stream SampleAlternateDataStreamName` +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + +### False positive analysis + +- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of process executable and file conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type == "creation" and + + file.path : "C:\\*:*" and + not file.path : + ("C:\\*:zone.identifier*", + "C:\\users\\*\\appdata\\roaming\\microsoft\\teams\\old_weblogs_*:$DATA") and + + not process.executable : + ("?:\\windows\\System32\\svchost.exe", + "?:\\Windows\\System32\\inetsrv\\w3wp.exe", + "?:\\Windows\\explorer.exe", + "?:\\Windows\\System32\\sihost.exe", + "?:\\Windows\\System32\\PickerHost.exe", + "?:\\Windows\\System32\\SearchProtocolHost.exe", + "?:\\Program Files (x86)\\Dropbox\\Client\\Dropbox.exe", + "?:\\Program Files\\Rivet Networks\\SmartByte\\SmartByteNetworkService.exe", + "?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "?:\\Program Files\\ExpressConnect\\ExpressConnectNetworkService.exe", + "?:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Program Files\\Mozilla Firefox\\firefox.exe", + "?:\\Program Files(x86)\\Microsoft Office\\root\\*\\EXCEL.EXE", + "?:\\Program Files\\Microsoft Office\\root\\*\\EXCEL.EXE", + "?:\\Program Files (x86)\\Microsoft Office\\root\\*\\OUTLOOK.EXE", + "?:\\Program Files\\Microsoft Office\\root\\*\\OUTLOOK.EXE", + "?:\\Program Files (x86)\\Microsoft Office\\root\\*\\POWERPNT.EXE", + "?:\\Program Files\\Microsoft Office\\root\\*\\POWERPNT.EXE", + "?:\\Program Files (x86)\\Microsoft Office\\root\\*\\WINWORD.EXE", + "?:\\Program Files\\Microsoft Office\\root\\*\\WINWORD.EXE") and + + file.extension : + ( + "pdf", + "dll", + "png", + "exe", + "dat", + "com", + "bat", + "cmd", + "sys", + "vbs", + "ps1", + "hta", + "txt", + "vbe", + "js", + "wsh", + "docx", + "doc", + "xlsx", + "xls", + "pptx", + "ppt", + "rtf", + "gif", + "jpg", + "png", + "bmp", + "img", + "iso" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Sub-technique: +** Name: NTFS File Attributes +** ID: T1564.004 +** Reference URL: https://attack.mitre.org/techniques/T1564/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-file-modification-by-dns-exe.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-file-modification-by-dns-exe.asciidoc new file mode 100644 index 0000000000..9c63946609 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-file-modification-by-dns-exe.asciidoc @@ -0,0 +1,85 @@ +[[prebuilt-rule-8-11-3-unusual-file-modification-by-dns-exe]] +=== Unusual File Modification by dns.exe + +Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/ +* https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/ +* https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Data Source: Elastic Endgame +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Unusual File Write +Detection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation: +- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms. +- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care. + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and process.name : "dns.exe" and event.type in ("creation", "deletion", "change") and + not file.name : "dns.log" and not + (file.extension : ("old", "temp", "bak", "dns", "arpa") and file.path : "C:\\Windows\\System32\\dns\\*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Exploitation of Remote Services +** ID: T1210 +** Reference URL: https://attack.mitre.org/techniques/T1210/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-parent-child-relationship.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-parent-child-relationship.asciidoc new file mode 100644 index 0000000000..6713d77515 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-parent-child-relationship.asciidoc @@ -0,0 +1,158 @@ +[[prebuilt-rule-8-11-3-unusual-parent-child-relationship]] +=== Unusual Parent-Child Relationship + +Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png +* https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Unusual Parent-Child Relationship + +Windows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline. + +This rule uses this information to spot suspicious parent and child processes. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and +process.parent.name != null and + ( + /* suspicious parent processes */ + (process.name:"autochk.exe" and not process.parent.name:"smss.exe") or + (process.name:("fontdrvhost.exe", "dwm.exe") and not process.parent.name:("wininit.exe", "winlogon.exe")) or + (process.name:("consent.exe", "RuntimeBroker.exe", "TiWorker.exe") and not process.parent.name:"svchost.exe") or + (process.name:"SearchIndexer.exe" and not process.parent.name:"services.exe") or + (process.name:"SearchProtocolHost.exe" and not process.parent.name:("SearchIndexer.exe", "dllhost.exe")) or + (process.name:"dllhost.exe" and not process.parent.name:("services.exe", "svchost.exe")) or + (process.name:"smss.exe" and not process.parent.name:("System", "smss.exe")) or + (process.name:"csrss.exe" and not process.parent.name:("smss.exe", "svchost.exe")) or + (process.name:"wininit.exe" and not process.parent.name:"smss.exe") or + (process.name:"winlogon.exe" and not process.parent.name:"smss.exe") or + (process.name:("lsass.exe", "LsaIso.exe") and not process.parent.name:"wininit.exe") or + (process.name:"LogonUI.exe" and not process.parent.name:("wininit.exe", "winlogon.exe")) or + (process.name:"services.exe" and not process.parent.name:"wininit.exe") or + (process.name:"svchost.exe" and not process.parent.name:("MsMpEng.exe", "services.exe")) or + (process.name:"spoolsv.exe" and not process.parent.name:"services.exe") or + (process.name:"taskhost.exe" and not process.parent.name:("services.exe", "svchost.exe")) or + (process.name:"taskhostw.exe" and not process.parent.name:("services.exe", "svchost.exe")) or + (process.name:"userinit.exe" and not process.parent.name:("dwm.exe", "winlogon.exe")) or + (process.name:("wmiprvse.exe", "wsmprovhost.exe", "winrshost.exe") and not process.parent.name:"svchost.exe") or + /* suspicious child processes */ + (process.parent.name:("SearchProtocolHost.exe", "taskhost.exe", "csrss.exe") and not process.name:("werfault.exe", "wermgr.exe", "WerFaultSecure.exe")) or + (process.parent.name:"autochk.exe" and not process.name:("chkdsk.exe", "doskey.exe", "WerFault.exe")) or + (process.parent.name:"smss.exe" and not process.name:("autochk.exe", "smss.exe", "csrss.exe", "wininit.exe", "winlogon.exe", "setupcl.exe", "WerFault.exe")) or + (process.parent.name:"wermgr.exe" and not process.name:("WerFaultSecure.exe", "wermgr.exe", "WerFault.exe")) or + (process.parent.name:"conhost.exe" and not process.name:("mscorsvw.exe", "wermgr.exe", "WerFault.exe", "WerFaultSecure.exe")) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Sub-technique: +** Name: Process Hollowing +** ID: T1055.012 +** Reference URL: https://attack.mitre.org/techniques/T1055/012/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-parent-process-for-cmd-exe.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-parent-process-for-cmd-exe.asciidoc new file mode 100644 index 0000000000..3417eb2245 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-parent-process-for-cmd-exe.asciidoc @@ -0,0 +1,89 @@ +[[prebuilt-rule-8-11-3-unusual-parent-process-for-cmd-exe]] +=== Unusual Parent Process for cmd.exe + +Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.name : "cmd.exe" and + process.parent.name : ("lsass.exe", + "csrss.exe", + "epad.exe", + "regsvr32.exe", + "dllhost.exe", + "LogonUI.exe", + "wermgr.exe", + "spoolsv.exe", + "jucheck.exe", + "jusched.exe", + "ctfmon.exe", + "taskhostw.exe", + "GoogleUpdate.exe", + "sppsvc.exe", + "sihost.exe", + "slui.exe", + "SIHClient.exe", + "SearchIndexer.exe", + "SearchProtocolHost.exe", + "FlashPlayerUpdateService.exe", + "WerFault.exe", + "WUDFHost.exe", + "unsecapp.exe", + "wlanext.exe" ) and + not (process.parent.name : "dllhost.exe" and process.parent.args : "/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-print-spooler-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-print-spooler-child-process.asciidoc new file mode 100644 index 0000000000..670dc895eb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-print-spooler-child-process.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-8-11-3-unusual-print-spooler-child-process]] +=== Unusual Print Spooler Child Process + +Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "spoolsv.exe" and + (?process.Ext.token.integrity_level_name : "System" or + ?winlog.event_data.IntegrityLevel : "System") and + + /* exclusions for FP control below */ + not process.name : ("splwow64.exe", "PDFCreator.exe", "acrodist.exe", "spoolsv.exe", "msiexec.exe", "route.exe", "WerFault.exe") and + not process.command_line : "*\\WINDOWS\\system32\\spool\\DRIVERS*" and + not (process.name : "net.exe" and process.command_line : ("*stop*", "*start*")) and + not (process.name : ("cmd.exe", "powershell.exe") and process.command_line : ("*.spl*", "*\\program files*", "*route add*")) and + not (process.name : "netsh.exe" and process.command_line : ("*add portopening*", "*rule name*")) and + not (process.name : "regsvr32.exe" and process.command_line : "*PrintConfig.dll*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-process-execution-path-alternate-data-stream.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-process-execution-path-alternate-data-stream.asciidoc new file mode 100644 index 0000000000..c5fe5904af --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-process-execution-path-alternate-data-stream.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-11-3-unusual-process-execution-path-alternate-data-stream]] +=== Unusual Process Execution Path - Alternate Data Stream + +Identifies processes running from an Alternate Data Stream. This is uncommon for legitimate processes and sometimes done by adversaries to hide malware. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.args : "?:\\*:*" and process.args_count == 1 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Sub-technique: +** Name: NTFS File Attributes +** ID: T1564.004 +** Reference URL: https://attack.mitre.org/techniques/T1564/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-service-host-child-process-childless-service.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-service-host-child-process-childless-service.asciidoc new file mode 100644 index 0000000000..b5bfa81aa1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-service-host-child-process-childless-service.asciidoc @@ -0,0 +1,99 @@ +[[prebuilt-rule-8-11-3-unusual-service-host-child-process-childless-service]] +=== Unusual Service Host Child Process - Childless Service + +Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate a code injection or an equivalent form of exploitation. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Privilege Escalation +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : "svchost.exe" and + + /* based on svchost service arguments -s svcname where the service is known to be childless */ + + process.parent.args : ("WdiSystemHost","LicenseManager", + "StorSvc","CDPSvc","cdbhsvc","BthAvctpSvc","SstpSvc","WdiServiceHost", + "imgsvc","TrkWks","WpnService","IKEEXT","PolicyAgent","CryptSvc", + "netprofm","ProfSvc","StateRepository","camsvc","LanmanWorkstation", + "NlaSvc","EventLog","hidserv","DisplayEnhancementService","ShellHWDetection", + "AppHostSvc","fhsvc","CscService","PushToInstall") and + + /* unknown FPs can be added here */ + + not process.name : ("WerFault.exe","WerFaultSecure.exe","wermgr.exe") and + not (process.executable : "?:\\Windows\\System32\\RelPost.exe" and process.parent.args : "WdiSystemHost") and + not (process.name : "rundll32.exe" and + process.args : "?:\\WINDOWS\\System32\\winethc.dll,ForceProxyDetectionOnNextRun" and process.parent.args : "WdiServiceHost") and + not (process.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\Windows\\System32\\Kodak\\kds_i4x50\\lib\\lexexe.exe") and + process.parent.args : "imgsvc") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Sub-technique: +** Name: Process Hollowing +** ID: T1055.012 +** Reference URL: https://attack.mitre.org/techniques/T1055/012/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ +* Sub-technique: +** Name: Process Hollowing +** ID: T1055.012 +** Reference URL: https://attack.mitre.org/techniques/T1055/012/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-user-privilege-enumeration-via-id.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-user-privilege-enumeration-via-id.asciidoc new file mode 100644 index 0000000000..c057105644 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-unusual-user-privilege-enumeration-via-id.asciidoc @@ -0,0 +1,62 @@ +[[prebuilt-rule-8-11-3-unusual-user-privilege-enumeration-via-id]] +=== Unusual User Privilege Enumeration via id + +This rule monitors for a sequence of 20 "id" command executions within 1 second by the same parent process. This behavior is unusual, and may be indicative of the execution of an enumeration script such as LinPEAS or LinEnum. These scripts leverage the "id" command to enumerate the privileges of all users present on the system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Defend + +*Version*: 3 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.parent.entity_id with maxspan=1s + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.name == "id" and process.args_count == 2 and + not (process.parent.name == "rpm" or process.parent.args : "/var/tmp/rpm-tmp*")] with runs=20 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: System Owner/User Discovery +** ID: T1033 +** Reference URL: https://attack.mitre.org/techniques/T1033/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-user-account-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-user-account-creation.asciidoc new file mode 100644 index 0000000000..6f31da59ef --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-user-account-creation.asciidoc @@ -0,0 +1,112 @@ +[[prebuilt-rule-8-11-3-user-account-creation]] +=== User Account Creation + +Identifies attempts to create new users. This is sometimes done by attackers to increase access or establish persistence on a system or domain. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating User Account Creation + +Attackers may create new accounts (both local and domain) to maintain access to victim systems. + +This rule identifies the usage of `net.exe` to create new accounts. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Identify if the account was added to privileged groups or assigned special privileges after creation. +- Investigate other alerts associated with the user/host during the past 48 hours. + +### False positive analysis + +- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign. + +### Related rules + +- Creation of a Hidden Local User Account - 2edc8076-291e-41e9-81e4-e3fcbc97ae5e +- Windows User Account Creation - 38e17753-f581-4644-84da-0d60a8318694 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Delete the created account. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.name : ("net.exe", "net1.exe") and + not process.parent.name : "net.exe" and + (process.args : "user" and process.args : ("/ad", "/add")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create Account +** ID: T1136 +** Reference URL: https://attack.mitre.org/techniques/T1136/ +* Sub-technique: +** Name: Local Account +** ID: T1136.001 +** Reference URL: https://attack.mitre.org/techniques/T1136/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-user-account-exposed-to-kerberoasting.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-user-account-exposed-to-kerberoasting.asciidoc new file mode 100644 index 0000000000..99814c9a87 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-user-account-exposed-to-kerberoasting.asciidoc @@ -0,0 +1,119 @@ +[[prebuilt-rule-8-11-3-user-account-exposed-to-kerberoasting]] +=== User account exposed to Kerberoasting + +Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also configure this for legitimate purposes, exposing the account to Kerberoasting. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.thehacker.recipes/ad/movement/access-controls/targeted-kerberoasting +* https://www.qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/ +* https://www.thehacker.recipes/ad/movement/kerberos/kerberoast +* https://attack.stealthbits.com/cracking-kerberos-tgs-tickets-using-kerberoasting +* https://adsecurity.org/?p=280 +* https://github.com/OTRF/Set-AuditRule + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Active Directory +* Resources: Investigation Guide +* Use Case: Active Directory Monitoring + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating User account exposed to Kerberoasting + +Service Principal Names (SPNs) are names by which Kerberos clients uniquely identify service instances for Kerberos target computers. + +By default, only computer accounts have SPNs, which creates no significant risk, since machine accounts have a default domain policy that rotates their passwords every 30 days, and the password is composed of 120 random characters, making them invulnerable to Kerberoasting. + +A user account with an SPN assigned is considered a service account, and is accessible to the entire domain. If any user in the directory requests a ticket-granting service (TGS), the domain controller will encrypt it with the secret key of the account executing the service. An attacker can potentially perform a Kerberoasting attack with this information, as the human-defined password is likely to be less complex. + +For scenarios where SPNs cannot be avoided on user accounts, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that account passwords are robust and changed regularly and automatically. More information can be found [here](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview). + +Attackers can also perform "Targeted Kerberoasting", which consists of adding fake SPNs to user accounts that they have write privileges to, making them potentially vulnerable to Kerberoasting. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate if the target account is a member of privileged groups (Domain Admins, Enterprise Admins, etc.). +- Investigate if tickets have been requested for the target account. +- Investigate other alerts associated with the user/host during the past 48 hours. + +### False positive analysis + +- The use of user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positive (B-TP), especially if the account is privileged. Domain Administrators that define this kind of setting can put the domain at risk as user accounts don't have the same security standards as computer accounts (which have long, complex, random passwords that change frequently), exposing them to credential cracking attacks (Kerberoasting, brute force, etc.). + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.action:"Directory Service Changes" and event.code:5136 and + winlog.event_data.OperationType:"%%14674" and + winlog.event_data.ObjectClass:"user" and + winlog.event_data.AttributeLDAPDisplayName:"servicePrincipalName" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal or Forge Kerberos Tickets +** ID: T1558 +** Reference URL: https://attack.mitre.org/techniques/T1558/ +* Sub-technique: +** Name: Kerberoasting +** ID: T1558.003 +** Reference URL: https://attack.mitre.org/techniques/T1558/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-user-added-to-privileged-group.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-user-added-to-privileged-group.asciidoc new file mode 100644 index 0000000000..4950f75e33 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-user-added-to-privileged-group.asciidoc @@ -0,0 +1,111 @@ +[[prebuilt-rule-8-11-3-user-added-to-privileged-group]] +=== User Added to Privileged Group + +Identifies a user being added to a privileged group in Active Directory. Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Resources: Investigation Guide +* Use Case: Active Directory Monitoring +* Data Source: Active Directory + +*Version*: 108 + +*Rule authors*: + +* Elastic +* Skoetting + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating User Added to Privileged Group in Active Directory + +Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems. + +Attackers can add users to privileged groups to maintain a level of access if their other privileged accounts are uncovered by the security team. This allows them to keep operating after the security team discovers abused accounts. + +This rule monitors events related to a user being added to a privileged group. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should manage members of this group. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. + +### False positive analysis + +- This attack abuses a legitimate Active Directory mechanism, so it is important to determine whether the activity is legitimate, if the administrator is authorized to perform this operation, and if there is a need to grant the account this level of privilege. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- If the admin is not aware of the operation, activate your Active Directory incident response plan. +- If the user does not need the administrator privileges, remove the account from the privileged group. +- Review the privileges of the administrator account that performed the action. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +iam where winlog.api:"wineventlog" and event.action == "added-member-to-group" and + group.name : ("Admin*", + "Local Administrators", + "Domain Admins", + "Enterprise Admins", + "Backup Admins", + "Schema Admins", + "DnsAdmins", + "Exchange Organization Administrators") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-virtual-machine-fingerprinting-via-grep.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-virtual-machine-fingerprinting-via-grep.asciidoc new file mode 100644 index 0000000000..34a109c883 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-virtual-machine-fingerprinting-via-grep.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-8-11-3-virtual-machine-fingerprinting-via-grep]] +=== Virtual Machine Fingerprinting via Grep + +An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://objective-see.com/blog/blog_0x4F.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Defend + +*Version*: 104 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where event.type == "start" and + process.name in ("grep", "egrep") and user.id != "0" and + process.args : ("parallels*", "vmware*", "virtualbox*") and process.args : "Manufacturer*" and + not process.parent.executable in ("/Applications/Docker.app/Contents/MacOS/Docker", "/usr/libexec/kcare/virt-what") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: System Information Discovery +** ID: T1082 +** Reference URL: https://attack.mitre.org/techniques/T1082/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-virtual-machine-fingerprinting.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-virtual-machine-fingerprinting.asciidoc new file mode 100644 index 0000000000..03add986f5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-virtual-machine-fingerprinting.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-11-3-virtual-machine-fingerprinting]] +=== Virtual Machine Fingerprinting + +An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware. + +*Rule type*: query + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:linux and event.type:(start or process_started) and + process.args:("/sys/class/dmi/id/bios_version" or + "/sys/class/dmi/id/product_name" or + "/sys/class/dmi/id/chassis_vendor" or + "/proc/scsi/scsi" or + "/proc/ide/hd0/model") and + not user.name:root + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: System Information Discovery +** ID: T1082 +** Reference URL: https://attack.mitre.org/techniques/T1082/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-virtual-private-network-connection-attempt.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-virtual-private-network-connection-attempt.asciidoc new file mode 100644 index 0000000000..018d68970d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-virtual-private-network-connection-attempt.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-11-3-virtual-private-network-connection-attempt]] +=== Virtual Private Network Connection Attempt + +Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN). Adversaries may use VPN connections to laterally move and control remote systems on a network. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/manage/vpn.rb +* https://www.unix.com/man-page/osx/8/networksetup/ +* https://superuser.com/questions/358513/start-configured-vpn-from-command-line-osx + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and + ( + (process.name : "networksetup" and process.args : "-connectpppoeservice") or + (process.name : "scutil" and process.args : "--nc" and process.args : "start") or + (process.name : "osascript" and process.command_line : "osascript*set VPN to service*") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-volume-shadow-copy-deleted-or-resized-via-vssadmin.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-volume-shadow-copy-deleted-or-resized-via-vssadmin.asciidoc new file mode 100644 index 0000000000..990012daa3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-volume-shadow-copy-deleted-or-resized-via-vssadmin.asciidoc @@ -0,0 +1,132 @@ +[[prebuilt-rule-8-11-3-volume-shadow-copy-deleted-or-resized-via-vssadmin]] +=== Volume Shadow Copy Deleted or Resized via VssAdmin + +Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Impact +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Volume Shadow Copy Deleted or Resized via VssAdmin + +The Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders. + +A typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring. + +This rule monitors the execution of Vssadmin.exe to either delete or resize shadow copies. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB. +- Investigate other alerts associated with the user/host during the past 48 hours. +- If unsigned files are found on the process tree, retrieve them and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Use process name, command line, and file hash to search for occurrences in other hosts. +- Check if any files on the host machine have been encrypted. + + +### False positive analysis + +- This rule may produce benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions. + +### Related rules + +- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921 +- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity. +- Priority should be given due to the advanced stage of this activity on the attack. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- If data was encrypted, deleted, or modified, activate your data recovery plan. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.). +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" + and (process.name : "vssadmin.exe" or process.pe.original_file_name == "VSSADMIN.EXE") and + process.args in ("delete", "resize") and process.args : "shadows*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Inhibit System Recovery +** ID: T1490 +** Reference URL: https://attack.mitre.org/techniques/T1490/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-volume-shadow-copy-deletion-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-volume-shadow-copy-deletion-via-powershell.asciidoc new file mode 100644 index 0000000000..02309c3493 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-volume-shadow-copy-deletion-via-powershell.asciidoc @@ -0,0 +1,151 @@ +[[prebuilt-rule-8-11-3-volume-shadow-copy-deletion-via-powershell]] +=== Volume Shadow Copy Deletion via PowerShell + +Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/win32-shadowcopy +* https://powershell.one/wmi/root/cimv2/win32_shadowcopy +* https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Impact +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Volume Shadow Copy Deletion via PowerShell + +The Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders. + +A typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring. + +This rule monitors the execution of PowerShell cmdlets to interact with the Win32_ShadowCopy WMI class, retrieve shadow copy objects, and delete them. + +#### Possible investigation steps + +- Investigate the program execution chain (parent process tree). +- Check whether the account is authorized to perform this operation. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- If unsigned files are found on the process tree, retrieve them and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Use process name, command line, and file hash to search for occurrences in other hosts. +- Check if any files on the host machine have been encrypted. + + +### False positive analysis + +- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions. + +### Related rules + +- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921 +- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity. +- Priority should be given due to the advanced stage of this activity on the attack. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- If data was encrypted, deleted, or modified, activate your data recovery plan. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.). +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and + process.args : ("*Get-WmiObject*", "*gwmi*", "*Get-CimInstance*", "*gcim*") and + process.args : ("*Win32_ShadowCopy*") and + process.args : ("*.Delete()*", "*Remove-WmiObject*", "*rwmi*", "*Remove-CimInstance*", "*rcim*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Inhibit System Recovery +** ID: T1490 +** Reference URL: https://attack.mitre.org/techniques/T1490/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-volume-shadow-copy-deletion-via-wmic.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-volume-shadow-copy-deletion-via-wmic.asciidoc new file mode 100644 index 0000000000..1a839a7640 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-volume-shadow-copy-deletion-via-wmic.asciidoc @@ -0,0 +1,141 @@ +[[prebuilt-rule-8-11-3-volume-shadow-copy-deletion-via-wmic]] +=== Volume Shadow Copy Deletion via WMIC + +Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Impact +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Volume Shadow Copy Deletion via WMIC + +The Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders. + +A typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring. + +This rule monitors the execution of `wmic.exe` to interact with VSS via the `shadowcopy` alias and delete parameter. + +#### Possible investigation steps + +- Investigate the program execution chain (parent process tree). +- Check whether the account is authorized to perform this operation. +- Contact the account owner and confirm whether they are aware of this activity. +- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB. +- Investigate other alerts associated with the user/host during the past 48 hours. +- If unsigned files are found on the process tree, retrieve them and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Use process name, command line, and file hash to search for occurrences in other hosts. +- Check if any files on the host machine have been encrypted. + + +### False positive analysis + +- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions. + +### Related rules + +- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921 +- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Priority should be given due to the advanced stage of this activity on the attack. +- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- If data was encrypted, deleted, or modified, activate your data recovery plan. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.). +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : "WMIC.exe" or process.pe.original_file_name == "wmic.exe") and + process.args : "delete" and process.args : "shadowcopy" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Impact +** ID: TA0040 +** Reference URL: https://attack.mitre.org/tactics/TA0040/ +* Technique: +** Name: Inhibit System Recovery +** ID: T1490 +** Reference URL: https://attack.mitre.org/techniques/T1490/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Windows Management Instrumentation +** ID: T1047 +** Reference URL: https://attack.mitre.org/techniques/T1047/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-web-shell-detection-script-process-child-of-common-web-processes.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-web-shell-detection-script-process-child-of-common-web-processes.asciidoc new file mode 100644 index 0000000000..6f43c5bac5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-web-shell-detection-script-process-child-of-common-web-processes.asciidoc @@ -0,0 +1,159 @@ +[[prebuilt-rule-8-11-3-web-shell-detection-script-process-child-of-common-web-processes]] +=== Web Shell Detection: Script Process Child of Common Web Processes + +Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/ +* https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965 +* https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1 + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Initial Access +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Web Shell Detection: Script Process Child of Common Web Processes + +Adversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a web script that is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a network. A web shell may provide a set of functions to execute or a command-line interface on the system that hosts the web server. + +This rule detects a web server process spawning script and command-line interface programs, potentially indicating attackers executing commands using the web shell. + +#### Possible investigation steps + +- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any other spawned child processes. +- Examine the command line to determine which commands or scripts were executed. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : ("w3wp.exe", "httpd.exe", "nginx.exe", "php.exe", "php-cgi.exe", "tomcat.exe") and + process.name : ("cmd.exe", "cscript.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "wmic.exe", "wscript.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Server Software Component +** ID: T1505 +** Reference URL: https://attack.mitre.org/techniques/T1505/ +* Sub-technique: +** Name: Web Shell +** ID: T1505.003 +** Reference URL: https://attack.mitre.org/techniques/T1505/003/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Exploit Public-Facing Application +** ID: T1190 +** Reference URL: https://attack.mitre.org/techniques/T1190/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Windows Command Shell +** ID: T1059.003 +** Reference URL: https://attack.mitre.org/techniques/T1059/003/ +* Sub-technique: +** Name: Visual Basic +** ID: T1059.005 +** Reference URL: https://attack.mitre.org/techniques/T1059/005/ +* Technique: +** Name: Windows Management Instrumentation +** ID: T1047 +** Reference URL: https://attack.mitre.org/techniques/T1047/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-webserver-access-logs-deleted.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-webserver-access-logs-deleted.asciidoc new file mode 100644 index 0000000000..1949c041d4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-webserver-access-logs-deleted.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-11-3-webserver-access-logs-deleted]] +=== WebServer Access Logs Deleted + +Identifies the deletion of WebServer access logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system. + +*Rule type*: eql + +*Rule indices*: + +* auditbeat-* +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Linux +* OS: Windows +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 104 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where event.type == "deletion" and + file.path : ("C:\\inetpub\\logs\\LogFiles\\*.log", + "/var/log/apache*/access.log", + "/etc/httpd/logs/access_log", + "/var/log/httpd/access_log", + "/var/www/*/logs/access.log") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Indicator Removal +** ID: T1070 +** Reference URL: https://attack.mitre.org/techniques/T1070/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-whoami-process-activity.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-whoami-process-activity.asciidoc new file mode 100644 index 0000000000..579911589e --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-whoami-process-activity.asciidoc @@ -0,0 +1,122 @@ +[[prebuilt-rule-8-11-3-whoami-process-activity]] +=== Whoami Process Activity + +Identifies suspicious use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* logs-system.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Discovery +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Whoami Process Activity + +After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software. + +This rule looks for the execution of the `whoami` utility. Attackers commonly use this utility to measure their current privileges, discover the current user, determine if a privilege escalation was successful, etc. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed. + +### Related rules + +- Account Discovery Command via SYSTEM Account - 2856446a-34e6-435b-9fb5-f8f040bfa7ed + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and process.name : "whoami.exe" and +( + + (/* scoped for whoami execution under system privileges */ + (user.domain : ("NT AUTHORITY", "NT-AUTORITÄT", "AUTORITE NT", "IIS APPPOOL") or user.id : ("S-1-5-18", "S-1-5-19", "S-1-5-20")) and + + not (process.parent.name : "cmd.exe" and + process.parent.args : ("chcp 437>nul 2>&1 & C:\\WINDOWS\\System32\\whoami.exe /groups", + "chcp 437>nul 2>&1 & %systemroot%\\system32\\whoami /user", + "C:\\WINDOWS\\System32\\whoami.exe /groups", + "*WINDOWS\\system32\\config\\systemprofile*")) and + not (process.parent.executable : "C:\\Windows\\system32\\inetsrv\\appcmd.exe" and process.parent.args : "LIST") and + not process.parent.executable : ("C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe", + "C:\\Program Files\\Cohesity\\cohesity_windows_agent_service.exe")) or + + process.parent.name : ("wsmprovhost.exe", "w3wp.exe", "wmiprvse.exe", "rundll32.exe", "regsvr32.exe") + +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: System Owner/User Discovery +** ID: T1033 +** Reference URL: https://attack.mitre.org/techniques/T1033/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-windows-defender-disabled-via-registry-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-windows-defender-disabled-via-registry-modification.asciidoc new file mode 100644 index 0000000000..a576c292e8 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-windows-defender-disabled-via-registry-modification.asciidoc @@ -0,0 +1,144 @@ +[[prebuilt-rule-8-11-3-windows-defender-disabled-via-registry-modification]] +=== Windows Defender Disabled via Registry Modification + +Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://thedfirreport.com/2020/12/13/defender-control/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Windows Defender Disabled via Registry Modification + +Microsoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks. + +This rule monitors the registry for configurations that disable Windows Defender or the start of its service. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check if this operation was approved and performed according to the organization's change management policy. + +### False positive analysis + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed. + +### Related rules + +- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87 +- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Re-enable Windows Defender and restore the service configurations to automatic start. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Review the privileges assigned to the user to ensure that the least privilege principle is being followed. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and event.type in ("creation", "change") and + ( + ( + registry.path: ( + "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware", + "\\REGISTRY\\MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware" + ) and + registry.data.strings: ("1", "0x00000001") + ) or + ( + registry.path: ( + "HKLM\\System\\*ControlSet*\\Services\\WinDefend\\Start", + "\\REGISTRY\\MACHINE\\System\\*ControlSet*\\Services\\WinDefend\\Start" + ) and + registry.data.strings in ("3", "4", "0x00000003", "0x00000004") + ) + ) and + + not process.executable : + ("?:\\WINDOWS\\system32\\services.exe", + "?:\\Windows\\System32\\svchost.exe", + "?:\\Program Files (x86)\\Trend Micro\\Security Agent\\NTRmv.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Sub-technique: +** Name: Indicator Blocking +** ID: T1562.006 +** Reference URL: https://attack.mitre.org/techniques/T1562/006/ +* Technique: +** Name: Modify Registry +** ID: T1112 +** Reference URL: https://attack.mitre.org/techniques/T1112/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-windows-defender-exclusions-added-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-windows-defender-exclusions-added-via-powershell.asciidoc new file mode 100644 index 0000000000..8f3086bfe3 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-windows-defender-exclusions-added-via-powershell.asciidoc @@ -0,0 +1,144 @@ +[[prebuilt-rule-8-11-3-windows-defender-exclusions-added-via-powershell]] +=== Windows Defender Exclusions Added via PowerShell + +Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Windows Defender Exclusions Added via PowerShell + +Microsoft Windows Defender is an antivirus product built into Microsoft Windows. Since this software product is used to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration settings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of the more notable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/) was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defender to avoid detection. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Examine the exclusion in order to determine the intent behind it. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- If the exclusion specifies a suspicious file or path, retrieve the file(s) and determine if malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This rule has a high chance to produce false positives due to how often network administrators legitimately configure exclusions. In order to validate the activity further, review the specific exclusion and its intent. There are many legitimate reasons for exclusions, so it's important to gain context. + +### Related rules + +- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb +- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Exclusion lists for antimalware capabilities should always be routinely monitored for review. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")) and + process.args : ("*Add-MpPreference*", "*Set-MpPreference*") and + process.args : ("*-Exclusion*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Sub-technique: +** Name: Indicator Blocking +** ID: T1562.006 +** Reference URL: https://attack.mitre.org/techniques/T1562/006/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-windows-firewall-disabled-via-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-windows-firewall-disabled-via-powershell.asciidoc new file mode 100644 index 0000000000..8bbd2d08e2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-windows-firewall-disabled-via-powershell.asciidoc @@ -0,0 +1,131 @@ +[[prebuilt-rule-8-11-3-windows-firewall-disabled-via-powershell]] +=== Windows Firewall Disabled via PowerShell + +Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which can help attackers evade network constraints, like internet and network lateral communication restrictions. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* +* winlogbeat-* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps +* https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell +* http://powershellhelp.space/commands/set-netfirewallrule-psv5.php +* http://woshub.com/manage-windows-firewall-powershell/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Windows Firewall Disabled via PowerShell + +Windows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device. + +Attackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity. + +This rule identifies patterns related to disabling the Windows firewall or its rules using the `Set-NetFirewallProfile` PowerShell cmdlet. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. + +### False positive analysis + +- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting. +- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Re-enable the firewall with its desired configurations. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.action == "start" and + (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or process.pe.original_file_name == "PowerShell.EXE") and + process.args : "*Set-NetFirewallProfile*" and + (process.args : "*-Enabled*" and process.args : "*False*") and + (process.args : "*-All*" or process.args : ("*Public*", "*Domain*", "*Private*")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify System Firewall +** ID: T1562.004 +** Reference URL: https://attack.mitre.org/techniques/T1562/004/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-windows-registry-file-creation-in-smb-share.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-windows-registry-file-creation-in-smb-share.asciidoc new file mode 100644 index 0000000000..c1a49b7691 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-windows-registry-file-creation-in-smb-share.asciidoc @@ -0,0 +1,129 @@ +[[prebuilt-rule-8-11-3-windows-registry-file-creation-in-smb-share]] +=== Windows Registry File Creation in SMB Share + +Identifies the creation or modification of a medium-size registry hive file on a Server Message Block (SMB) share, which may indicate an exfiltration attempt of a previously dumped Security Account Manager (SAM) registry hive for credential extraction on an attacker-controlled system. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/security-labs/detect-credential-access + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Tactic: Credential Access +* Resources: Investigation Guide +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Windows Registry File Creation in SMB Share + +Dumping registry hives is a common way to access credential information. Some hives store credential material, as is the case for the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets. + +Attackers can try to evade detection on the host by transferring this data to a system that is not monitored to be parsed and decrypted. This rule identifies the creation or modification of a medium-size registry hive file on an SMB share, which may indicate this kind of exfiltration attempt. + +#### Possible investigation steps + +- Investigate other alerts associated with the user/source host during the past 48 hours. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Inspect the source host for suspicious or abnormal behaviors in the alert timeframe. +- Capture the registry file(s) to determine the extent of the credential compromise in an eventual incident response. + +### False positive analysis + +- Administrators can export registry hives for backup purposes. Check whether the user should be performing this kind of activity and is aware of it. + +### Related rules + +- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Reimage the host operating system and restore compromised files to clean versions. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type == "creation" and + /* regf file header */ + file.Ext.header_bytes : "72656766*" and file.size >= 30000 and + process.pid == 4 and user.id : ("S-1-5-21*", "S-1-12-1-*") and + not file.path : ( + "?:\\*\\UPM_Profile\\NTUSER.DAT", + "?:\\*\\UPM_Profile\\NTUSER.DAT.LASTGOOD.LOAD", + "?:\\Windows\\Netwrix\\Temp\\????????.???.offreg", + "?:\\*\\AppData\\Local\\Packages\\Microsoft.*\\Settings\\settings.dat*" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Sub-technique: +** Name: Security Account Manager +** ID: T1003.002 +** Reference URL: https://attack.mitre.org/techniques/T1003/002/ +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SMB/Windows Admin Shares +** ID: T1021.002 +** Reference URL: https://attack.mitre.org/techniques/T1021/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-windows-script-executing-powershell.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-windows-script-executing-powershell.asciidoc new file mode 100644 index 0000000000..bcc168056d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-windows-script-executing-powershell.asciidoc @@ -0,0 +1,144 @@ +[[prebuilt-rule-8-11-3-windows-script-executing-powershell]] +=== Windows Script Executing PowerShell + +Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Execution +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Windows Script Executing PowerShell + +The Windows Script Host (WSH) is an Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation. + +Attackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals. + +This rule looks for the spawn of the `powershell.exe` process with `cscript.exe` or `wscript.exe` as its parent process. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate commands executed by the spawned PowerShell process. +- If unsigned files are found on the process tree, retrieve them and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Determine how the script file was delivered (email attachment, dropped by other processes, etc.). +- Investigate other alerts associated with the user/host during the past 48 hours. + +### False positive analysis + +- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- If the malicious file was delivered via phishing: + - Block the email sender from sending future emails. + - Block the malicious web pages. + - Remove emails from the sender from mailboxes. + - Consider improvements to the security awareness program. +- Reimage the host operating system and restore compromised files to clean versions. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + process.parent.name : ("cscript.exe", "wscript.exe") and process.name : "powershell.exe" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: PowerShell +** ID: T1059.001 +** Reference URL: https://attack.mitre.org/techniques/T1059/001/ +* Sub-technique: +** Name: Visual Basic +** ID: T1059.005 +** Reference URL: https://attack.mitre.org/techniques/T1059/005/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-windows-service-installed-via-an-unusual-client.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-windows-service-installed-via-an-unusual-client.asciidoc new file mode 100644 index 0000000000..e6a906564c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-windows-service-installed-via-an-unusual-client.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-11-3-windows-service-installed-via-an-unusual-client]] +=== Windows Service Installed via an Unusual Client + +Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.x86matthew.com/view_post?id=create_svc_rpc +* https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 +* https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.action:"service-installed" and + (winlog.event_data.ClientProcessId:"0" or winlog.event_data.ParentProcessId:"0") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Windows Service +** ID: T1543.003 +** Reference URL: https://attack.mitre.org/techniques/T1543/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-zoom-meeting-with-no-passcode.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-zoom-meeting-with-no-passcode.asciidoc new file mode 100644 index 0000000000..743b751eb0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rule-8-11-3-zoom-meeting-with-no-passcode.asciidoc @@ -0,0 +1,61 @@ +[[prebuilt-rule-8-11-3-zoom-meeting-with-no-passcode]] +=== Zoom Meeting with no Passcode + +This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode. Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material that is lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.zoom.us/a-message-to-our-users/ +* https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic + +*Tags*: + +* Data Source: Zoom +* Use Case: Configuration Audit +* Tactic: Initial Access + +*Version*: 102 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.type:creation and event.module:zoom and event.dataset:zoom.webhook and + event.action:meeting.created and not zoom.meeting.password:* + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Exploit Public-Facing Application +** ID: T1190 +** Reference URL: https://attack.mitre.org/techniques/T1190/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rules-8-11-3-appendix.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rules-8-11-3-appendix.asciidoc new file mode 100644 index 0000000000..b0f799e37b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rules-8-11-3-appendix.asciidoc @@ -0,0 +1,376 @@ +["appendix",role="exclude",id="prebuilt-rule-8-11-3-prebuilt-rules-8-11-3-appendix"] += Downloadable rule update v8.11.3 + +This section lists all updates associated with version 8.11.3 of the Fleet integration *Prebuilt Security Detection Rules*. + + +include::prebuilt-rule-8-11-3-statistical-model-detected-c2-beaconing-activity.asciidoc[] +include::prebuilt-rule-8-11-3-statistical-model-detected-c2-beaconing-activity-with-high-confidence.asciidoc[] +include::prebuilt-rule-8-11-3-network-activity-detected-via-kworker.asciidoc[] +include::prebuilt-rule-8-11-3-attempt-to-clear-kernel-ring-buffer.asciidoc[] +include::prebuilt-rule-8-11-3-potential-malicious-file-downloaded-from-google-drive.asciidoc[] +include::prebuilt-rule-8-11-3-potential-cookies-theft-via-browser-debugging.asciidoc[] +include::prebuilt-rule-8-11-3-webserver-access-logs-deleted.asciidoc[] +include::prebuilt-rule-8-11-3-tampering-of-bash-command-line-history.asciidoc[] +include::prebuilt-rule-8-11-3-elastic-agent-service-terminated.asciidoc[] +include::prebuilt-rule-8-11-3-masquerading-space-after-filename.asciidoc[] +include::prebuilt-rule-8-11-3-timestomping-using-touch-command.asciidoc[] +include::prebuilt-rule-8-11-3-security-software-discovery-via-grep.asciidoc[] +include::prebuilt-rule-8-11-3-virtual-machine-fingerprinting-via-grep.asciidoc[] +include::prebuilt-rule-8-11-3-potential-reverse-shell-activity-via-terminal.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-java-child-process.asciidoc[] +include::prebuilt-rule-8-11-3-hosts-file-modified.asciidoc[] +include::prebuilt-rule-8-11-3-zoom-meeting-with-no-passcode.asciidoc[] +include::prebuilt-rule-8-11-3-threat-intel-ip-address-indicator-match.asciidoc[] +include::prebuilt-rule-8-11-3-threat-intel-hash-indicator-match.asciidoc[] +include::prebuilt-rule-8-11-3-threat-intel-windows-registry-indicator-match.asciidoc[] +include::prebuilt-rule-8-11-3-threat-intel-url-indicator-match.asciidoc[] +include::prebuilt-rule-8-11-3-network-activity-detected-via-cat.asciidoc[] +include::prebuilt-rule-8-11-3-potential-protocol-tunneling-via-chisel-client.asciidoc[] +include::prebuilt-rule-8-11-3-potential-protocol-tunneling-via-chisel-server.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-utility-launched-via-proxychains.asciidoc[] +include::prebuilt-rule-8-11-3-potential-linux-tunneling-and-or-port-forwarding.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-network-activity-to-the-internet-by-previously-unknown-executable.asciidoc[] +include::prebuilt-rule-8-11-3-potential-protocol-tunneling-via-earthworm.asciidoc[] +include::prebuilt-rule-8-11-3-sensitive-files-compression.asciidoc[] +include::prebuilt-rule-8-11-3-potential-linux-credential-dumping-via-unshadow.asciidoc[] +include::prebuilt-rule-8-11-3-linux-init-pid-1-secret-dump-via-gdb.asciidoc[] +include::prebuilt-rule-8-11-3-potential-linux-local-account-brute-force-detected.asciidoc[] +include::prebuilt-rule-8-11-3-potential-external-linux-ssh-brute-force-detected.asciidoc[] +include::prebuilt-rule-8-11-3-potential-internal-linux-ssh-brute-force-detected.asciidoc[] +include::prebuilt-rule-8-11-3-potential-successful-linux-ftp-brute-force-attack-detected.asciidoc[] +include::prebuilt-rule-8-11-3-potential-successful-linux-rdp-brute-force-attack-detected.asciidoc[] +include::prebuilt-rule-8-11-3-potential-successful-ssh-brute-force-attack.asciidoc[] +include::prebuilt-rule-8-11-3-potential-linux-credential-dumping-via-proc-filesystem.asciidoc[] +include::prebuilt-rule-8-11-3-potential-openssh-backdoor-logging-activity.asciidoc[] +include::prebuilt-rule-8-11-3-attempt-to-disable-iptables-or-firewall.asciidoc[] +include::prebuilt-rule-8-11-3-attempt-to-disable-syslog-service.asciidoc[] +include::prebuilt-rule-8-11-3-base16-or-base32-encoding-decoding-activity.asciidoc[] +include::prebuilt-rule-8-11-3-system-binary-copied-and-or-moved-to-suspicious-directory.asciidoc[] +include::prebuilt-rule-8-11-3-file-made-immutable-by-chattr.asciidoc[] +include::prebuilt-rule-8-11-3-potential-disabling-of-apparmor.asciidoc[] +include::prebuilt-rule-8-11-3-potential-disabling-of-selinux.asciidoc[] +include::prebuilt-rule-8-11-3-esxi-timestomping-using-touch-command.asciidoc[] +include::prebuilt-rule-8-11-3-file-deletion-via-shred.asciidoc[] +include::prebuilt-rule-8-11-3-file-permission-modification-in-writable-directory.asciidoc[] +include::prebuilt-rule-8-11-3-creation-of-hidden-files-and-directories-via-commandline.asciidoc[] +include::prebuilt-rule-8-11-3-creation-of-hidden-shared-object-file.asciidoc[] +include::prebuilt-rule-8-11-3-kernel-module-removal.asciidoc[] +include::prebuilt-rule-8-11-3-system-log-file-deletion.asciidoc[] +include::prebuilt-rule-8-11-3-potential-hidden-process-via-mount-hidepid.asciidoc[] +include::prebuilt-rule-8-11-3-potential-defense-evasion-via-proot.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-renaming-of-esxi-files.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-renaming-of-esxi-index-html-file.asciidoc[] +include::prebuilt-rule-8-11-3-esxi-discovery-via-find.asciidoc[] +include::prebuilt-rule-8-11-3-esxi-discovery-via-grep.asciidoc[] +include::prebuilt-rule-8-11-3-enumeration-of-kernel-modules.asciidoc[] +include::prebuilt-rule-8-11-3-hping-process-activity.asciidoc[] +include::prebuilt-rule-8-11-3-nping-process-activity.asciidoc[] +include::prebuilt-rule-8-11-3-potential-network-scan-executed-from-host.asciidoc[] +include::prebuilt-rule-8-11-3-potential-pspy-process-monitoring-detected.asciidoc[] +include::prebuilt-rule-8-11-3-sudo-command-enumeration-detected.asciidoc[] +include::prebuilt-rule-8-11-3-suid-sguid-enumeration-detected.asciidoc[] +include::prebuilt-rule-8-11-3-unusual-user-privilege-enumeration-via-id.asciidoc[] +include::prebuilt-rule-8-11-3-virtual-machine-fingerprinting.asciidoc[] +include::prebuilt-rule-8-11-3-abnormal-process-id-or-lock-file-created.asciidoc[] +include::prebuilt-rule-8-11-3-potential-curl-cve-2023-38545-exploitation.asciidoc[] +include::prebuilt-rule-8-11-3-file-creation-execution-and-self-deletion-in-suspicious-directory.asciidoc[] +include::prebuilt-rule-8-11-3-file-transfer-or-listener-established-via-netcat.asciidoc[] +include::prebuilt-rule-8-11-3-potential-upgrade-of-non-interactive-shell.asciidoc[] +include::prebuilt-rule-8-11-3-netcat-listener-established-via-rlwrap.asciidoc[] +include::prebuilt-rule-8-11-3-network-connection-via-recently-compiled-executable.asciidoc[] +include::prebuilt-rule-8-11-3-interactive-terminal-spawned-via-perl.asciidoc[] +include::prebuilt-rule-8-11-3-potential-linux-hack-tool-launched.asciidoc[] +include::prebuilt-rule-8-11-3-process-started-from-process-id-pid-file.asciidoc[] +include::prebuilt-rule-8-11-3-binary-executed-from-shared-memory-directory.asciidoc[] +include::prebuilt-rule-8-11-3-interactive-terminal-spawned-via-python.asciidoc[] +include::prebuilt-rule-8-11-3-potential-code-execution-via-postgresql.asciidoc[] +include::prebuilt-rule-8-11-3-linux-restricted-shell-breakout-via-linux-binary-s.asciidoc[] +include::prebuilt-rule-8-11-3-deprecated-potential-reverse-shell-via-suspicious-parent-process.asciidoc[] +include::prebuilt-rule-8-11-3-potential-reverse-shell-via-background-process.asciidoc[] +include::prebuilt-rule-8-11-3-potential-reverse-shell-via-java.asciidoc[] +include::prebuilt-rule-8-11-3-potential-reverse-shell-via-suspicious-child-process.asciidoc[] +include::prebuilt-rule-8-11-3-potential-meterpreter-reverse-shell.asciidoc[] +include::prebuilt-rule-8-11-3-potential-reverse-shell-via-suspicious-binary.asciidoc[] +include::prebuilt-rule-8-11-3-potential-reverse-shell.asciidoc[] +include::prebuilt-rule-8-11-3-potential-reverse-shell-via-udp.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-content-extracted-or-decompressed-via-funzip.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-system-commands-executed-by-previously-unknown-executable.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-mining-process-creation-event.asciidoc[] +include::prebuilt-rule-8-11-3-bpf-filter-applied-using-tc.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-data-encryption-via-openssl-utility.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-termination-of-esxi-process.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-file-changes-activity-detected.asciidoc[] +include::prebuilt-rule-8-11-3-potential-linux-ransomware-note-creation-detected.asciidoc[] +include::prebuilt-rule-8-11-3-high-number-of-process-terminations.asciidoc[] +include::prebuilt-rule-8-11-3-potential-ssh-it-ssh-worm-downloaded.asciidoc[] +include::prebuilt-rule-8-11-3-connection-to-external-network-via-telnet.asciidoc[] +include::prebuilt-rule-8-11-3-connection-to-internal-network-via-telnet.asciidoc[] +include::prebuilt-rule-8-11-3-chkconfig-service-add.asciidoc[] +include::prebuilt-rule-8-11-3-modification-of-openssh-binaries.asciidoc[] +include::prebuilt-rule-8-11-3-cron-job-created-or-changed-by-previously-unknown-process.asciidoc[] +include::prebuilt-rule-8-11-3-dynamic-linker-copy.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-file-creation-in-etc-for-persistence.asciidoc[] +include::prebuilt-rule-8-11-3-potential-persistence-through-init-d-detected.asciidoc[] +include::prebuilt-rule-8-11-3-kernel-module-load-via-insmod.asciidoc[] +include::prebuilt-rule-8-11-3-persistence-via-kde-autostart-script-or-desktop-file-modification.asciidoc[] +include::prebuilt-rule-8-11-3-potential-linux-backdoor-user-account-creation.asciidoc[] +include::prebuilt-rule-8-11-3-linux-group-creation.asciidoc[] +include::prebuilt-rule-8-11-3-potential-remote-code-execution-via-web-server.asciidoc[] +include::prebuilt-rule-8-11-3-linux-user-account-creation.asciidoc[] +include::prebuilt-rule-8-11-3-linux-user-added-to-privileged-group.asciidoc[] +include::prebuilt-rule-8-11-3-potential-persistence-through-motd-file-creation-detected.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-process-spawned-from-motd-detected.asciidoc[] +include::prebuilt-rule-8-11-3-potential-persistence-through-run-control-detected.asciidoc[] +include::prebuilt-rule-8-11-3-setcap-setuid-setgid-capability-set.asciidoc[] +include::prebuilt-rule-8-11-3-shared-object-created-or-changed-by-previously-unknown-process.asciidoc[] +include::prebuilt-rule-8-11-3-new-systemd-timer-created.asciidoc[] +include::prebuilt-rule-8-11-3-new-systemd-service-created-by-previously-unknown-process.asciidoc[] +include::prebuilt-rule-8-11-3-potential-unauthorized-access-via-wildcard-injection-detected.asciidoc[] +include::prebuilt-rule-8-11-3-potential-privilege-escalation-via-container-misconfiguration.asciidoc[] +include::prebuilt-rule-8-11-3-modification-of-dynamic-linker-preload-shared-object.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-symbolic-link-created.asciidoc[] +include::prebuilt-rule-8-11-3-potential-privilege-escalation-via-uid-int-max-bug-detected.asciidoc[] +include::prebuilt-rule-8-11-3-kernel-load-or-unload-via-kexec-detected.asciidoc[] +include::prebuilt-rule-8-11-3-potential-privilege-escalation-via-cve-2023-4911.asciidoc[] +include::prebuilt-rule-8-11-3-potential-privilege-escalation-via-overlayfs.asciidoc[] +include::prebuilt-rule-8-11-3-potential-privilege-escalation-via-pkexec.asciidoc[] +include::prebuilt-rule-8-11-3-potential-shell-via-wildcard-injection-detected.asciidoc[] +include::prebuilt-rule-8-11-3-potential-suspicious-debugfs-root-device-access.asciidoc[] +include::prebuilt-rule-8-11-3-potential-shadow-file-read-via-command-line-utilities.asciidoc[] +include::prebuilt-rule-8-11-3-potential-sudo-privilege-escalation-via-cve-2019-14287.asciidoc[] +include::prebuilt-rule-8-11-3-potential-sudo-hijacking-detected.asciidoc[] +include::prebuilt-rule-8-11-3-potential-sudo-token-manipulation-via-process-injection.asciidoc[] +include::prebuilt-rule-8-11-3-potential-privilege-escalation-via-python-cap-setuid.asciidoc[] +include::prebuilt-rule-8-11-3-potential-privilege-escalation-via-recently-compiled-executable.asciidoc[] +include::prebuilt-rule-8-11-3-namespace-manipulation-using-unshare.asciidoc[] +include::prebuilt-rule-8-11-3-potential-privilege-escalation-through-writable-docker-socket.asciidoc[] +include::prebuilt-rule-8-11-3-access-of-stored-browser-credentials.asciidoc[] +include::prebuilt-rule-8-11-3-access-to-keychain-credentials-directories.asciidoc[] +include::prebuilt-rule-8-11-3-dumping-of-keychain-content-via-security-command.asciidoc[] +include::prebuilt-rule-8-11-3-keychain-password-retrieval-via-command-line.asciidoc[] +include::prebuilt-rule-8-11-3-prompt-for-credentials-with-osascript.asciidoc[] +include::prebuilt-rule-8-11-3-attempt-to-remove-file-quarantine-attribute.asciidoc[] +include::prebuilt-rule-8-11-3-potential-privacy-control-bypass-via-tccdb-modification.asciidoc[] +include::prebuilt-rule-8-11-3-potential-privacy-control-bypass-via-localhost-secure-copy.asciidoc[] +include::prebuilt-rule-8-11-3-enumeration-of-users-or-groups-via-built-in-commands.asciidoc[] +include::prebuilt-rule-8-11-3-attempt-to-mount-smb-share-via-command-line.asciidoc[] +include::prebuilt-rule-8-11-3-virtual-private-network-connection-attempt.asciidoc[] +include::prebuilt-rule-8-11-3-creation-of-hidden-login-item-via-apple-script.asciidoc[] +include::prebuilt-rule-8-11-3-emond-rules-creation-or-modification.asciidoc[] +include::prebuilt-rule-8-11-3-creation-of-hidden-launch-agent-or-daemon.asciidoc[] +include::prebuilt-rule-8-11-3-persistence-via-login-or-logout-hook.asciidoc[] +include::prebuilt-rule-8-11-3-sublime-plugin-or-application-script-modification.asciidoc[] +include::prebuilt-rule-8-11-3-unexpected-child-process-of-macos-screensaver-engine.asciidoc[] +include::prebuilt-rule-8-11-3-screensaver-plist-file-modified-by-unexpected-process.asciidoc[] +include::prebuilt-rule-8-11-3-apple-scripting-execution-with-administrator-privileges.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-inter-process-communication-via-outlook.asciidoc[] +include::prebuilt-rule-8-11-3-exporting-exchange-mailbox-via-powershell.asciidoc[] +include::prebuilt-rule-8-11-3-powershell-suspicious-script-with-audio-capture-capabilities.asciidoc[] +include::prebuilt-rule-8-11-3-powershell-suspicious-script-with-clipboard-retrieval-capabilities.asciidoc[] +include::prebuilt-rule-8-11-3-powershell-keylogging-script.asciidoc[] +include::prebuilt-rule-8-11-3-powershell-mailbox-collection-script.asciidoc[] +include::prebuilt-rule-8-11-3-powershell-suspicious-script-with-screenshot-capabilities.asciidoc[] +include::prebuilt-rule-8-11-3-encrypting-files-with-winrar-or-7z.asciidoc[] +include::prebuilt-rule-8-11-3-connection-to-commonly-abused-web-services.asciidoc[] +include::prebuilt-rule-8-11-3-potential-dns-tunneling-via-nslookup.asciidoc[] +include::prebuilt-rule-8-11-3-connection-to-commonly-abused-free-ssl-certificate-providers.asciidoc[] +include::prebuilt-rule-8-11-3-ingress-transfer-via-windows-bits.asciidoc[] +include::prebuilt-rule-8-11-3-port-forwarding-rule-addition.asciidoc[] +include::prebuilt-rule-8-11-3-potential-remote-desktop-tunneling-detected.asciidoc[] +include::prebuilt-rule-8-11-3-remote-file-download-via-desktopimgdownldr-utility.asciidoc[] +include::prebuilt-rule-8-11-3-remote-file-download-via-mpcmdrun.asciidoc[] +include::prebuilt-rule-8-11-3-remote-file-download-via-powershell.asciidoc[] +include::prebuilt-rule-8-11-3-remote-file-copy-via-teamviewer.asciidoc[] +include::prebuilt-rule-8-11-3-privileged-account-brute-force.asciidoc[] +include::prebuilt-rule-8-11-3-multiple-logon-failure-followed-by-logon-success.asciidoc[] +include::prebuilt-rule-8-11-3-multiple-logon-failure-from-the-same-source-address.asciidoc[] +include::prebuilt-rule-8-11-3-potential-credential-access-via-windows-utilities.asciidoc[] +include::prebuilt-rule-8-11-3-ntds-or-sam-database-file-copied.asciidoc[] +include::prebuilt-rule-8-11-3-firsttime-seen-account-performing-dcsync.asciidoc[] +include::prebuilt-rule-8-11-3-potential-credential-access-via-dcsync.asciidoc[] +include::prebuilt-rule-8-11-3-kerberos-pre-authentication-disabled-for-user.asciidoc[] +include::prebuilt-rule-8-11-3-creation-or-modification-of-domain-backup-dpapi-private-key.asciidoc[] +include::prebuilt-rule-8-11-3-credential-acquisition-via-registry-hive-dumping.asciidoc[] +include::prebuilt-rule-8-11-3-microsoft-iis-service-account-password-dumped.asciidoc[] +include::prebuilt-rule-8-11-3-microsoft-iis-connection-strings-decryption.asciidoc[] +include::prebuilt-rule-8-11-3-kerberos-traffic-from-unusual-process.asciidoc[] +include::prebuilt-rule-8-11-3-access-to-a-sensitive-ldap-attribute.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-lsass-access-via-malseclogon.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-module-loaded-by-lsass.asciidoc[] +include::prebuilt-rule-8-11-3-lsass-memory-dump-creation.asciidoc[] +include::prebuilt-rule-8-11-3-lsass-memory-dump-handle-access.asciidoc[] +include::prebuilt-rule-8-11-3-lsass-process-access-via-windows-api.asciidoc[] +include::prebuilt-rule-8-11-3-mimikatz-memssp-log-file-detected.asciidoc[] +include::prebuilt-rule-8-11-3-potential-invoke-mimikatz-powershell-script.asciidoc[] +include::prebuilt-rule-8-11-3-modification-of-wdigest-security-provider.asciidoc[] +include::prebuilt-rule-8-11-3-windows-registry-file-creation-in-smb-share.asciidoc[] +include::prebuilt-rule-8-11-3-network-logon-provider-registry-modification.asciidoc[] +include::prebuilt-rule-8-11-3-powershell-kerberos-ticket-dump.asciidoc[] +include::prebuilt-rule-8-11-3-powershell-minidump-script.asciidoc[] +include::prebuilt-rule-8-11-3-powershell-kerberos-ticket-request.asciidoc[] +include::prebuilt-rule-8-11-3-potential-credential-access-via-duplicatehandle-in-lsass.asciidoc[] +include::prebuilt-rule-8-11-3-potential-remote-credential-access-via-registry.asciidoc[] +include::prebuilt-rule-8-11-3-multiple-vault-web-credentials-read.asciidoc[] +include::prebuilt-rule-8-11-3-searching-for-saved-credentials-via-vaultcmd.asciidoc[] +include::prebuilt-rule-8-11-3-sensitive-privilege-seenabledelegationprivilege-assigned-to-a-user.asciidoc[] +include::prebuilt-rule-8-11-3-potential-shadow-credentials-added-to-ad-object.asciidoc[] +include::prebuilt-rule-8-11-3-user-account-exposed-to-kerberoasting.asciidoc[] +include::prebuilt-rule-8-11-3-potential-credential-access-via-renamed-com-services-dll.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-lsass-process-access.asciidoc[] +include::prebuilt-rule-8-11-3-potential-credential-access-via-lsass-memory-dump.asciidoc[] +include::prebuilt-rule-8-11-3-potential-lsass-memory-dump-via-psscapturesnapshot.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-remote-registry-access-via-sebackupprivilege.asciidoc[] +include::prebuilt-rule-8-11-3-symbolic-link-to-shadow-copy-created.asciidoc[] +include::prebuilt-rule-8-11-3-potential-lsass-clone-creation-via-psscapturesnapshot.asciidoc[] +include::prebuilt-rule-8-11-3-modification-of-amsienable-registry-key.asciidoc[] +include::prebuilt-rule-8-11-3-clearing-windows-console-history.asciidoc[] +include::prebuilt-rule-8-11-3-clearing-windows-event-logs.asciidoc[] +include::prebuilt-rule-8-11-3-creation-or-modification-of-root-certificate.asciidoc[] +include::prebuilt-rule-8-11-3-windows-defender-disabled-via-registry-modification.asciidoc[] +include::prebuilt-rule-8-11-3-windows-defender-exclusions-added-via-powershell.asciidoc[] +include::prebuilt-rule-8-11-3-disable-windows-firewall-rules-via-netsh.asciidoc[] +include::prebuilt-rule-8-11-3-disabling-windows-defender-security-settings-via-powershell.asciidoc[] +include::prebuilt-rule-8-11-3-disable-windows-event-and-security-logs-using-built-in-tools.asciidoc[] +include::prebuilt-rule-8-11-3-dns-over-https-enabled-via-registry.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-net-code-compilation.asciidoc[] +include::prebuilt-rule-8-11-3-remote-desktop-enabled-in-windows-firewall-by-netsh.asciidoc[] +include::prebuilt-rule-8-11-3-enable-host-network-discovery-via-netsh.asciidoc[] +include::prebuilt-rule-8-11-3-control-panel-process-with-unusual-arguments.asciidoc[] +include::prebuilt-rule-8-11-3-imageload-via-windows-update-auto-update-client.asciidoc[] +include::prebuilt-rule-8-11-3-microsoft-build-engine-started-by-an-office-application.asciidoc[] +include::prebuilt-rule-8-11-3-microsoft-build-engine-started-by-a-script-process.asciidoc[] +include::prebuilt-rule-8-11-3-microsoft-build-engine-started-by-a-system-process.asciidoc[] +include::prebuilt-rule-8-11-3-microsoft-build-engine-using-an-alternate-name.asciidoc[] +include::prebuilt-rule-8-11-3-microsoft-build-engine-started-an-unusual-process.asciidoc[] +include::prebuilt-rule-8-11-3-potential-dll-side-loading-via-trusted-microsoft-programs.asciidoc[] +include::prebuilt-rule-8-11-3-potential-dll-side-loading-via-microsoft-antimalware-service-executable.asciidoc[] +include::prebuilt-rule-8-11-3-executable-file-creation-with-multiple-extensions.asciidoc[] +include::prebuilt-rule-8-11-3-process-execution-from-an-unusual-directory.asciidoc[] +include::prebuilt-rule-8-11-3-iis-http-logging-disabled.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-endpoint-security-parent-process.asciidoc[] +include::prebuilt-rule-8-11-3-renamed-autoit-scripts-interpreter.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-werfault-child-process.asciidoc[] +include::prebuilt-rule-8-11-3-program-files-directory-masquerading.asciidoc[] +include::prebuilt-rule-8-11-3-microsoft-windows-defender-tampering.asciidoc[] +include::prebuilt-rule-8-11-3-ms-office-macro-security-registry-modifications.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-net-reflection-via-powershell.asciidoc[] +include::prebuilt-rule-8-11-3-powershell-suspicious-payload-encoded-and-compressed.asciidoc[] +include::prebuilt-rule-8-11-3-potential-process-injection-via-powershell.asciidoc[] +include::prebuilt-rule-8-11-3-windows-firewall-disabled-via-powershell.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-microsoft-diagnostics-wizard-execution.asciidoc[] +include::prebuilt-rule-8-11-3-scheduled-tasks-at-command-enabled.asciidoc[] +include::prebuilt-rule-8-11-3-solarwinds-process-disabling-services-via-registry.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-execution-from-a-mounted-device.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-process-access-via-direct-system-call.asciidoc[] +include::prebuilt-rule-8-11-3-unusual-executable-file-creation-by-a-system-critical-process.asciidoc[] +include::prebuilt-rule-8-11-3-unsigned-dll-side-loading-from-a-suspicious-folder.asciidoc[] +include::prebuilt-rule-8-11-3-unusual-file-creation-alternate-data-stream.asciidoc[] +include::prebuilt-rule-8-11-3-unusual-process-execution-path-alternate-data-stream.asciidoc[] +include::prebuilt-rule-8-11-3-unusual-child-process-from-a-system-virtual-process.asciidoc[] +include::prebuilt-rule-8-11-3-signed-proxy-execution-via-ms-work-folders.asciidoc[] +include::prebuilt-rule-8-11-3-adfind-command-activity.asciidoc[] +include::prebuilt-rule-8-11-3-enumeration-of-administrator-accounts.asciidoc[] +include::prebuilt-rule-8-11-3-account-discovery-command-via-system-account.asciidoc[] +include::prebuilt-rule-8-11-3-peripheral-device-discovery.asciidoc[] +include::prebuilt-rule-8-11-3-powershell-share-enumeration-script.asciidoc[] +include::prebuilt-rule-8-11-3-powershell-suspicious-discovery-related-windows-api-functions.asciidoc[] +include::prebuilt-rule-8-11-3-enumeration-of-privileged-local-groups-membership.asciidoc[] +include::prebuilt-rule-8-11-3-whoami-process-activity.asciidoc[] +include::prebuilt-rule-8-11-3-command-execution-via-solarwinds-process.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-solarwinds-child-process.asciidoc[] +include::prebuilt-rule-8-11-3-execution-of-com-object-via-xwizard.asciidoc[] +include::prebuilt-rule-8-11-3-svchost-spawning-cmd.asciidoc[] +include::prebuilt-rule-8-11-3-unusual-parent-process-for-cmd-exe.asciidoc[] +include::prebuilt-rule-8-11-3-command-shell-activity-started-via-rundll32.asciidoc[] +include::prebuilt-rule-8-11-3-enumeration-command-spawned-via-wmiprvse.asciidoc[] +include::prebuilt-rule-8-11-3-execution-from-unusual-directory-command-line.asciidoc[] +include::prebuilt-rule-8-11-3-potential-powershell-hacktool-script-by-function-names.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-portable-executable-encoded-in-powershell-script.asciidoc[] +include::prebuilt-rule-8-11-3-powershell-psreflect-script.asciidoc[] +include::prebuilt-rule-8-11-3-execution-via-local-sxs-shared-module.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-cmd-execution-via-wmi.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-wmi-image-load-from-ms-office.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-pdf-reader-child-process.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-process-execution-via-renamed-psexec-executable.asciidoc[] +include::prebuilt-rule-8-11-3-process-activity-via-compiled-html-file.asciidoc[] +include::prebuilt-rule-8-11-3-conhost-spawned-by-suspicious-parent-process.asciidoc[] +include::prebuilt-rule-8-11-3-third-party-backup-files-deleted-via-unexpected-process.asciidoc[] +include::prebuilt-rule-8-11-3-deleting-backup-catalogs-with-wbadmin.asciidoc[] +include::prebuilt-rule-8-11-3-modification-of-boot-configuration.asciidoc[] +include::prebuilt-rule-8-11-3-volume-shadow-copy-deleted-or-resized-via-vssadmin.asciidoc[] +include::prebuilt-rule-8-11-3-volume-shadow-copy-deletion-via-powershell.asciidoc[] +include::prebuilt-rule-8-11-3-volume-shadow-copy-deletion-via-wmic.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-html-file-creation.asciidoc[] +include::prebuilt-rule-8-11-3-windows-script-executing-powershell.asciidoc[] +include::prebuilt-rule-8-11-3-microsoft-exchange-server-um-writing-suspicious-files.asciidoc[] +include::prebuilt-rule-8-11-3-microsoft-exchange-server-um-spawning-suspicious-processes.asciidoc[] +include::prebuilt-rule-8-11-3-microsoft-exchange-worker-spawning-suspicious-processes.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-ms-office-child-process.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-ms-outlook-child-process.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-explorer-child-process.asciidoc[] +include::prebuilt-rule-8-11-3-potential-remote-desktop-shadowing-activity.asciidoc[] +include::prebuilt-rule-8-11-3-execution-via-tsclient-mountpoint.asciidoc[] +include::prebuilt-rule-8-11-3-mounting-hidden-or-webdav-remote-shares.asciidoc[] +include::prebuilt-rule-8-11-3-rdp-enabled-via-registry.asciidoc[] +include::prebuilt-rule-8-11-3-remote-file-copy-to-a-hidden-share.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-rdp-activex-client-loaded.asciidoc[] +include::prebuilt-rule-8-11-3-unusual-child-process-of-dns-exe.asciidoc[] +include::prebuilt-rule-8-11-3-unusual-file-modification-by-dns-exe.asciidoc[] +include::prebuilt-rule-8-11-3-lateral-movement-via-startup-folder.asciidoc[] +include::prebuilt-rule-8-11-3-adobe-hijack-persistence.asciidoc[] +include::prebuilt-rule-8-11-3-registry-persistence-via-appcert-dll.asciidoc[] +include::prebuilt-rule-8-11-3-registry-persistence-via-appinit-dll.asciidoc[] +include::prebuilt-rule-8-11-3-creation-of-a-hidden-local-user-account.asciidoc[] +include::prebuilt-rule-8-11-3-persistence-via-scheduled-job-creation.asciidoc[] +include::prebuilt-rule-8-11-3-persistence-via-microsoft-office-addins.asciidoc[] +include::prebuilt-rule-8-11-3-persistence-via-microsoft-outlook-vba.asciidoc[] +include::prebuilt-rule-8-11-3-krbtgt-delegation-backdoor.asciidoc[] +include::prebuilt-rule-8-11-3-new-activesyncalloweddeviceid-added-via-powershell.asciidoc[] +include::prebuilt-rule-8-11-3-potential-modification-of-accessibility-binaries.asciidoc[] +include::prebuilt-rule-8-11-3-adminsdholder-sdprop-exclusion-added.asciidoc[] +include::prebuilt-rule-8-11-3-startup-persistence-by-a-suspicious-process.asciidoc[] +include::prebuilt-rule-8-11-3-persistent-scripts-in-the-startup-directory.asciidoc[] +include::prebuilt-rule-8-11-3-component-object-model-hijacking.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-image-load-taskschd-dll-from-ms-office.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-execution-via-scheduled-task.asciidoc[] +include::prebuilt-rule-8-11-3-user-added-to-privileged-group.asciidoc[] +include::prebuilt-rule-8-11-3-user-account-creation.asciidoc[] +include::prebuilt-rule-8-11-3-potential-application-shimming-via-sdbinst.asciidoc[] +include::prebuilt-rule-8-11-3-persistence-via-bits-job-notify-cmdline.asciidoc[] +include::prebuilt-rule-8-11-3-persistence-via-hidden-run-key-detected.asciidoc[] +include::prebuilt-rule-8-11-3-installation-of-security-support-provider.asciidoc[] +include::prebuilt-rule-8-11-3-persistence-via-telemetrycontroller-scheduled-task-hijack.asciidoc[] +include::prebuilt-rule-8-11-3-persistence-via-update-orchestrator-service-hijack.asciidoc[] +include::prebuilt-rule-8-11-3-persistence-via-wmi-event-subscription.asciidoc[] +include::prebuilt-rule-8-11-3-execution-via-mssql-xp-cmdshell-stored-procedure.asciidoc[] +include::prebuilt-rule-8-11-3-web-shell-detection-script-process-child-of-common-web-processes.asciidoc[] +include::prebuilt-rule-8-11-3-process-creation-via-secondary-logon.asciidoc[] +include::prebuilt-rule-8-11-3-modification-of-the-mspkiaccountcredentials.asciidoc[] +include::prebuilt-rule-8-11-3-disabling-user-account-control-via-registry-modification.asciidoc[] +include::prebuilt-rule-8-11-3-creation-or-modification-of-a-new-gpo-scheduled-task-or-service.asciidoc[] +include::prebuilt-rule-8-11-3-startup-logon-script-added-to-group-policy-object.asciidoc[] +include::prebuilt-rule-8-11-3-group-policy-abuse-for-privilege-addition.asciidoc[] +include::prebuilt-rule-8-11-3-scheduled-task-execution-at-scale-via-gpo.asciidoc[] +include::prebuilt-rule-8-11-3-potential-privilege-escalation-via-installerfiletakeover.asciidoc[] +include::prebuilt-rule-8-11-3-privilege-escalation-via-named-pipe-impersonation.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-dll-loaded-for-persistence-or-privilege-escalation.asciidoc[] +include::prebuilt-rule-8-11-3-powershell-script-with-token-impersonation-capabilities.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-printspooler-service-executable-file-creation.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-print-spooler-file-deletion.asciidoc[] +include::prebuilt-rule-8-11-3-suspicious-print-spooler-spl-file-created.asciidoc[] +include::prebuilt-rule-8-11-3-potential-privileged-escalation-via-samaccountname-spoofing.asciidoc[] +include::prebuilt-rule-8-11-3-sedebugprivilege-enabled-by-a-suspicious-process.asciidoc[] +include::prebuilt-rule-8-11-3-uac-bypass-attempt-with-ieditionupgrademanager-elevated-com-interface.asciidoc[] +include::prebuilt-rule-8-11-3-uac-bypass-attempt-via-elevated-com-internet-explorer-add-on-installer.asciidoc[] +include::prebuilt-rule-8-11-3-uac-bypass-via-icmluautil-elevated-com-interface.asciidoc[] +include::prebuilt-rule-8-11-3-uac-bypass-via-diskcleanup-scheduled-task-hijack.asciidoc[] +include::prebuilt-rule-8-11-3-uac-bypass-attempt-via-privileged-ifileoperation-com-interface.asciidoc[] +include::prebuilt-rule-8-11-3-bypass-uac-via-event-viewer.asciidoc[] +include::prebuilt-rule-8-11-3-uac-bypass-attempt-via-windows-directory-masquerading.asciidoc[] +include::prebuilt-rule-8-11-3-uac-bypass-via-windows-firewall-snap-in-hijack.asciidoc[] +include::prebuilt-rule-8-11-3-unusual-parent-child-relationship.asciidoc[] +include::prebuilt-rule-8-11-3-unusual-print-spooler-child-process.asciidoc[] +include::prebuilt-rule-8-11-3-unusual-service-host-child-process-childless-service.asciidoc[] +include::prebuilt-rule-8-11-3-privilege-escalation-via-rogue-named-pipe-impersonation.asciidoc[] +include::prebuilt-rule-8-11-3-windows-service-installed-via-an-unusual-client.asciidoc[] diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rules-8-11-3-summary.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rules-8-11-3-summary.asciidoc new file mode 100644 index 0000000000..77aec2c58f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-11-3/prebuilt-rules-8-11-3-summary.asciidoc @@ -0,0 +1,752 @@ +[[prebuilt-rule-8-11-3-prebuilt-rules-8-11-3-summary]] +[role="xpack"] +== Update v8.11.3 + +This section lists all updates associated with version 8.11.3 of the Fleet integration *Prebuilt Security Detection Rules*. + + +[width="100%",options="header"] +|============================================== +|Rule |Description |Status |Version + +|<> | A statistical model has identified command-and-control (C2) beaconing activity. Beaconing can help attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain persistence in a network. | new | 1 + +|<> | A statistical model has identified command-and-control (C2) beaconing activity with high confidence. Beaconing can help attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain persistence in a network. | new | 1 + +|<> | This rule monitors for network connections from a kworker process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process. | new | 1 + +|<> | Monitors for the deletion of the kernel ring buffer events through dmesg. Attackers may clear kernel ring buffer events to evade detection after installing a Linux kernel module (LKM). | new | 1 + +|<> | Identifies potential malicious file download and execution from Google Drive. The rule checks for download activity from Google Drive URL, followed by the creation of files commonly leveraged by or for malware. This could indicate an attempt to run malicious scripts, executables or payloads. | update | 2 + +|<> | Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials. | update | 104 + +|<> | Identifies the deletion of WebServer access logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system. | update | 104 + +|<> | Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations. | update | 104 + +|<> | Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a stable state. | update | 105 + +|<> | This rules identifies a process created from an executable with a space appended to the end of the filename. This may indicate an attempt to masquerade a malicious file as benign to gain user execution. When a space is added to the end of certain files, the OS will execute the file according to it's true filetype instead of it's extension. Adversaries can hide a program's true filetype by changing the extension of the file. They can then add a space to the end of the name so that the OS automatically executes the file when it's double-clicked. | update | 5 + +|<> | Timestomping is an anti-forensics technique which is used to modify the timestamps of a file, often to mimic files that are in the same folder. | update | 104 + +|<> | Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details. | update | 107 + +|<> | An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware. | update | 104 + +|<> | Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity. | update | 107 + +|<> | Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability. | update | 206 + +|<> | The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems. | update | 107 + +|<> | This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode. Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material that is lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session. | update | 102 + +|<> | This rule is triggered when an IP address indicator from the Threat Intel Filebeat module or integrations has a match against a network event. | update | 4 + +|<> | This rule is triggered when a hash indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains file hashes, such as antivirus alerts, process creation, library load, and file operation events. | update | 5 + +|<> | This rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains registry data. | update | 4 + +|<> | This rule is triggered when a URL indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains URL data, like DNS events, network logs, etc. | update | 4 + +|<> | This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat is capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel. This activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools or files to another host in the network or exfiltrate data while attempting to evade detection in the process. | update | 3 + +|<> | This rule monitors for common command line flags leveraged by the Chisel client utility followed by a connection attempt. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems. | update | 3 + +|<> | This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received connection within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems. | update | 3 + +|<> | This rule monitors for the execution of suspicious linux tools through ProxyChains. ProxyChains is a command-line tool that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions. | update | 3 + +|<> | This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels, and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote control. | update | 3 + +|<> | This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious directory to a previously unknown destination ip. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise. | update | 5 + +|<> | Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems. | update | 108 + +|<> | Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations. | update | 207 + +|<> | Identifies the execution of the unshadow utility which is part of John the Ripper, a password-cracking tool on the host machine. Malicious actors can use the utility to retrieve the combined contents of the '/etc/shadow' and '/etc/password' files. Using the combined file generated from the utility, the malicious threat actors can use them as input for password-cracking utilities or prepare themselves for future operations by gathering credential information of the victim. | update | 6 + +|<> | This rule monitors for the potential memory dump of the init process (PID 1) through gdb. Attackers may leverage memory dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include "truffleproc" and "bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly. | update | 3 + +|<> | Identifies multiple consecutive login attempts executed by one process targeting a local linux user account within a short time interval. Adversaries might brute force login attempts across different users with a default wordlist or a set of customly crafted passwords in an attempt to gain access to these accounts. | update | 4 + +|<> | Identifies multiple external consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts. | update | 5 + +|<> | Identifies multiple internal consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts. | update | 9 + +|<> | An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting a specific user account from the same source address and within a short time interval, followed by a successful authentication. | update | 4 + +|<> | An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeatedly attempting various username and password combinations to gain unauthorized access to a remote computer via RDP, and if successful, the potential impact can include unauthorized control over the compromised system, data theft, or the ability to launch further attacks within the network, jeopardizing the security and confidentiality of the targeted system and potentially compromising the entire network infrastructure. This rule identifies multiple consecutive authentication failures targeting a specific user account within a short time interval, followed by a successful authentication. | update | 4 + +|<> | Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can attempt to login into multiple users with a common or known password to gain access to accounts. | update | 9 + +|<> | Identifies the execution of the mimipenguin exploit script which is linux adaptation of Windows tool mimikatz. Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits a known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords. | update | 5 + +|<> | Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file. Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to enable unauthorized access or to log SSH credentials for exfiltration. | update | 108 + +|<> | Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic. | update | 5 + +|<> | Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls. | update | 108 + +|<> | Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls. | update | 107 + +|<> | This rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity should be investigated. | update | 3 + +|<> | Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.). | update | 109 + +|<> | This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces fine-grained access control policies to restrict the actions and resources that specific applications and processes can access. Adversaries may disable security tools to avoid possible detection of their tools and activities. | update | 3 + +|<> | Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities. | update | 107 + +|<> | Identifies instances where the 'touch' command is executed on a Linux system with the "-r" flag, which is used to modify the timestamp of a file based on another file's timestamp. The rule targets specific VM-related paths, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". These paths are associated with VMware virtualization software, and their presence in the touch command arguments may indicate that a threat actor is attempting to tamper with timestamps of VM-related files and configurations on the system. | update | 5 + +|<> | Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process. | update | 107 + +|<> | Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution. | update | 207 + +|<