From 03b350ff0b7274735a41c1244d119813010ae1dd Mon Sep 17 00:00:00 2001 From: JPMinty Date: Mon, 5 Oct 2020 13:15:48 +1030 Subject: [PATCH 1/8] Create win_remote_schtask.yml --- rules/windows/builtin/win_remote_schtask.yml | 36 ++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 rules/windows/builtin/win_remote_schtask.yml diff --git a/rules/windows/builtin/win_remote_schtask.yml b/rules/windows/builtin/win_remote_schtask.yml new file mode 100644 index 000000000..40b923741 --- /dev/null +++ b/rules/windows/builtin/win_remote_schtask.yml @@ -0,0 +1,36 @@ +title: Remote Schtasks Creation +id: cf349c4b-99af-40fa-a051-823aa2307a84 +status: experimental +description: Detects remote execution via scheduled task creation or update on the destination host +author: Jai Minton +date: 2020/10/05 +references: + - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view +tags: + - attack.lateral_movement + - attack.persistence + - attack.execution + - attack.t1053.005 +logsource: + product: windows + service: security + definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft).' +detection: + selection1: + EventID: 4624 + Logon_Type: 3 + selection2: + EventID: + - 4698 + - 4702 + filter1: + Source_Network_Address: + - '::1' + - '127.0.0.1' + filter2: + Source_Network_Address: '-' + timeframe: 30d + condition: (selection1 and not filter1) or selection2 and not filter2 +falsepositives: + - Unknown +level: medium From 79d9cbe2c70b08d53f036c96e8d006e13fc50293 Mon Sep 17 00:00:00 2001 From: JPMinty Date: Mon, 5 Oct 2020 13:23:00 +1030 Subject: [PATCH 2/8] Create win_remote_service.yml --- rules/windows/builtin/win_remote_service.yml | 33 ++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/builtin/win_remote_service.yml diff --git a/rules/windows/builtin/win_remote_service.yml b/rules/windows/builtin/win_remote_service.yml new file mode 100644 index 000000000..73db09935 --- /dev/null +++ b/rules/windows/builtin/win_remote_service.yml @@ -0,0 +1,33 @@ +title: Remote Service Creation +id: 4a3a2b96-d7fc-4cb9-80e4-4a545fe95f46 +status: experimental +description: Detects remote execution via service creation on the destination host +author: Jai Minton +date: 2020/10/05 +references: + - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view +tags: + - attack.lateral_movement + - attack.persistence + - attack.execution + - attack.t1543.003 +logsource: + product: windows + service: security, system +detection: + selection1: + EventID: 4624 + Logon_Type: 3 + selection2: + EventID: + - 4697 + - 7045 + filter1: + Source_Network_Address: + - '::1' + - '127.0.0.1' + timeframe: 30d + condition: (selection1 and not filter1) or selection2 +falsepositives: + - Unknown +level: medium From ad5b128d0d559ffdbdca9680f27d74364ed275ef Mon Sep 17 00:00:00 2001 From: JPMinty Date: Mon, 5 Oct 2020 13:26:12 +1030 Subject: [PATCH 3/8] Delete win_remote_service.yml --- rules/windows/builtin/win_remote_service.yml | 33 -------------------- 1 file changed, 33 deletions(-) delete mode 100644 rules/windows/builtin/win_remote_service.yml diff --git a/rules/windows/builtin/win_remote_service.yml b/rules/windows/builtin/win_remote_service.yml deleted file mode 100644 index 73db09935..000000000 --- a/rules/windows/builtin/win_remote_service.yml +++ /dev/null @@ -1,33 +0,0 @@ -title: Remote Service Creation -id: 4a3a2b96-d7fc-4cb9-80e4-4a545fe95f46 -status: experimental -description: Detects remote execution via service creation on the destination host -author: Jai Minton -date: 2020/10/05 -references: - - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view -tags: - - attack.lateral_movement - - attack.persistence - - attack.execution - - attack.t1543.003 -logsource: - product: windows - service: security, system -detection: - selection1: - EventID: 4624 - Logon_Type: 3 - selection2: - EventID: - - 4697 - - 7045 - filter1: - Source_Network_Address: - - '::1' - - '127.0.0.1' - timeframe: 30d - condition: (selection1 and not filter1) or selection2 -falsepositives: - - Unknown -level: medium From 99e52a6f7a4a60ccf28f0195f3af9e48695b0f67 Mon Sep 17 00:00:00 2001 From: JPMinty Date: Mon, 5 Oct 2020 13:37:55 +1030 Subject: [PATCH 4/8] Create win_remote_service.yml --- rules/windows/builtin/win_remote_service.yml | 33 ++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/builtin/win_remote_service.yml diff --git a/rules/windows/builtin/win_remote_service.yml b/rules/windows/builtin/win_remote_service.yml new file mode 100644 index 000000000..73db09935 --- /dev/null +++ b/rules/windows/builtin/win_remote_service.yml @@ -0,0 +1,33 @@ +title: Remote Service Creation +id: 4a3a2b96-d7fc-4cb9-80e4-4a545fe95f46 +status: experimental +description: Detects remote execution via service creation on the destination host +author: Jai Minton +date: 2020/10/05 +references: + - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view +tags: + - attack.lateral_movement + - attack.persistence + - attack.execution + - attack.t1543.003 +logsource: + product: windows + service: security, system +detection: + selection1: + EventID: 4624 + Logon_Type: 3 + selection2: + EventID: + - 4697 + - 7045 + filter1: + Source_Network_Address: + - '::1' + - '127.0.0.1' + timeframe: 30d + condition: (selection1 and not filter1) or selection2 +falsepositives: + - Unknown +level: medium From 6fc476b2a283f0faaf286ff1077017bbd5face84 Mon Sep 17 00:00:00 2001 From: JPMinty Date: Mon, 5 Oct 2020 13:40:57 +1030 Subject: [PATCH 5/8] Delete win_remote_schtask.yml --- rules/windows/builtin/win_remote_schtask.yml | 36 -------------------- 1 file changed, 36 deletions(-) delete mode 100644 rules/windows/builtin/win_remote_schtask.yml diff --git a/rules/windows/builtin/win_remote_schtask.yml b/rules/windows/builtin/win_remote_schtask.yml deleted file mode 100644 index 40b923741..000000000 --- a/rules/windows/builtin/win_remote_schtask.yml +++ /dev/null @@ -1,36 +0,0 @@ -title: Remote Schtasks Creation -id: cf349c4b-99af-40fa-a051-823aa2307a84 -status: experimental -description: Detects remote execution via scheduled task creation or update on the destination host -author: Jai Minton -date: 2020/10/05 -references: - - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view -tags: - - attack.lateral_movement - - attack.persistence - - attack.execution - - attack.t1053.005 -logsource: - product: windows - service: security - definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft).' -detection: - selection1: - EventID: 4624 - Logon_Type: 3 - selection2: - EventID: - - 4698 - - 4702 - filter1: - Source_Network_Address: - - '::1' - - '127.0.0.1' - filter2: - Source_Network_Address: '-' - timeframe: 30d - condition: (selection1 and not filter1) or selection2 and not filter2 -falsepositives: - - Unknown -level: medium From bf43344858b1d6a3ed8c46821a7ac8c6595e369b Mon Sep 17 00:00:00 2001 From: JPMinty Date: Wed, 7 Oct 2020 17:25:34 +1030 Subject: [PATCH 6/8] Refactor for multiple log sources --- rules/windows/builtin/win_remote_service.yml | 21 +++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/rules/windows/builtin/win_remote_service.yml b/rules/windows/builtin/win_remote_service.yml index 73db09935..85d2566cc 100644 --- a/rules/windows/builtin/win_remote_service.yml +++ b/rules/windows/builtin/win_remote_service.yml @@ -1,8 +1,9 @@ +action: global title: Remote Service Creation id: 4a3a2b96-d7fc-4cb9-80e4-4a545fe95f46 status: experimental description: Detects remote execution via service creation on the destination host -author: Jai Minton +author: Jai Minton, oscd.community date: 2020/10/05 references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view @@ -18,10 +19,6 @@ detection: selection1: EventID: 4624 Logon_Type: 3 - selection2: - EventID: - - 4697 - - 7045 filter1: Source_Network_Address: - '::1' @@ -31,3 +28,17 @@ detection: falsepositives: - Unknown level: medium +--- + logsource: + product: windows + service: security + detection: + selection2: + EventID: 4697 +--- +logsource: + product: windows + service: system +detection: + selection2: + EventID: 7045 \ No newline at end of file From 13ac0b0e72f052956b5894cfcbd10a5a91ba98d5 Mon Sep 17 00:00:00 2001 From: JPMinty Date: Fri, 9 Oct 2020 17:05:51 +1030 Subject: [PATCH 7/8] Update win_remote_service.yml --- rules/windows/builtin/win_remote_service.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/rules/windows/builtin/win_remote_service.yml b/rules/windows/builtin/win_remote_service.yml index 85d2566cc..2647dde4b 100644 --- a/rules/windows/builtin/win_remote_service.yml +++ b/rules/windows/builtin/win_remote_service.yml @@ -12,9 +12,6 @@ tags: - attack.persistence - attack.execution - attack.t1543.003 -logsource: - product: windows - service: security, system detection: selection1: EventID: 4624 From 10f5c38b20df700cbe73f5703534cf0031914b60 Mon Sep 17 00:00:00 2001 From: JPMinty Date: Sun, 11 Oct 2020 12:40:24 +1030 Subject: [PATCH 8/8] Added conditional description + moved to unsupported-rules --- rules-unsupported/win_remote_service.yml | 50 ++++++++++++++++++++ rules/windows/builtin/win_remote_service.yml | 41 ---------------- 2 files changed, 50 insertions(+), 41 deletions(-) create mode 100644 rules-unsupported/win_remote_service.yml delete mode 100644 rules/windows/builtin/win_remote_service.yml diff --git a/rules-unsupported/win_remote_service.yml b/rules-unsupported/win_remote_service.yml new file mode 100644 index 000000000..75654260c --- /dev/null +++ b/rules-unsupported/win_remote_service.yml @@ -0,0 +1,50 @@ +action: global +title: Remote Service Creation +id: 4a3a2b96-d7fc-4cb9-80e4-4a545fe95f46 +status: experimental +description: Detects remote execution via service creation on the destination host +author: Jai Minton, oscd.community +date: 2020/10/05 +references: + - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view +tags: + - attack.lateral_movement + - attack.persistence + - attack.execution + - attack.t1543.003 +detection: + selection1: + EventID: 4624 + Logon_Type: 3 + filter1: + Source_Network_Address: + - '::1' + - '127.0.0.1' + timeframe: 30s + condition: (selection1 and not filter1) or selection2 + # where: + # selection1: TargetLogonID = selection2: SubjectLogonID, grouped by host over 30seconds | eventcount > 1 + # Rule should trigger where the SubjectLogonID from event 7045 is the same as the TargetLogonID from event 4624 with a Logon_Type of 3, in a 30second period, provided its from the same host. + # This logic would be similar to the Splunk 'Transaction' operator which groups related events over a timeframe. + # This takes both field values (e.g. host), and an expression provided (e.g. startswith=(EventCode=4624) maxspan=30s) which occurs over the raw event log to find events, at which point a Union based on the criteria provided occurs to merge these events into a single transaction. + # This is similar to stats as an aggregation function, but allows you to see the raw text of events rather than to calculate stats on then, and it retains the raw event to allow an eval expression to occur for grouping. This is beneficial as fields such as LogonIDs are reused over time. + # By having this you can group logon events to their remote service creation event (as it is searching for a logon followed by a service creation) even by using a search timeframe over a long period of time e.g. 30days without running the risk of incorrectly grouping a logonID at one time, to a task creation at another. + # Rule logic is currently not supported by SIGMA. + +falsepositives: + - Unknown +level: medium +--- + logsource: + product: windows + service: security + detection: + selection2: + EventID: 4697 +--- +logsource: + product: windows + service: system +detection: + selection2: + EventID: 7045 \ No newline at end of file diff --git a/rules/windows/builtin/win_remote_service.yml b/rules/windows/builtin/win_remote_service.yml deleted file mode 100644 index 2647dde4b..000000000 --- a/rules/windows/builtin/win_remote_service.yml +++ /dev/null @@ -1,41 +0,0 @@ -action: global -title: Remote Service Creation -id: 4a3a2b96-d7fc-4cb9-80e4-4a545fe95f46 -status: experimental -description: Detects remote execution via service creation on the destination host -author: Jai Minton, oscd.community -date: 2020/10/05 -references: - - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view -tags: - - attack.lateral_movement - - attack.persistence - - attack.execution - - attack.t1543.003 -detection: - selection1: - EventID: 4624 - Logon_Type: 3 - filter1: - Source_Network_Address: - - '::1' - - '127.0.0.1' - timeframe: 30d - condition: (selection1 and not filter1) or selection2 -falsepositives: - - Unknown -level: medium ---- - logsource: - product: windows - service: security - detection: - selection2: - EventID: 4697 ---- -logsource: - product: windows - service: system -detection: - selection2: - EventID: 7045 \ No newline at end of file