[New Rule] Potential SharpRdp Detected (#527)

* [New Rule] Potential SharpRdp Detected * Updated references * added process execution to the sequence added process execution to the sequence to capture the malicious process details that was executed * Linted * adjusted sequence * linted * adjusted process exec details to avoid procs termination * Update rules/windows/lateral_movement_rdp_sharprdp_target.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/lateral_movement_rdp_sharprdp_target.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/lateral_movement_rdp_sharprdp_target.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/lateral_movement_rdp_sharprdp_target.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/lateral_movement_rdp_sharprdp_target.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * eql syntax * eql syntax * ecs_version Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
2020-12-08 17:00:51 +01:00
parent bd2006d70d
commit 02e9c082df
1 changed files with 59 additions and 0 deletions
@@ -0,0 +1,59 @@
+[metadata]
+creation_date = "2020/11/11"
+maturity = "production"
+updated_date = "2020/11/11"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a
+remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*", "winlogbeat-*"]
+language = "eql"
+license = "Elastic License"
+name = "Potential SharpRDP Behavior"
+references = [
+    "https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3",
+    "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral%20Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx",
+]
+risk_score = 73
+rule_id = "8c81e506-6e82-4884-9b9a-75d3d252f967"
+severity = "high"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"]
+type = "eql"
+
+query = '''
+/* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */
+
+sequence by host.id with maxspan=1m
+  [network where event.type == "start" and process.name : "svchost.exe" and destination.port == 3389 and 
+   network.direction == "incoming" and network.transport == "tcp" and
+   source.address != "127.0.0.1" and source.address != "::1"
+  ]
+
+  [registry where process.name : "explorer.exe" and 
+   registry.path : ("HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\*") and
+   registry.data.strings : ("cmd.exe*", "powershell.exe*", "taskmgr*", "\\\\tsclient\\*.exe\\*")
+  ]
+  
+  [process where event.type in ("start", "process_started") and
+   (process.parent.name : ("cmd.exe", "powershell.exe", "taskmgr.exe") or process.args : ("\\\\tsclient\\*.exe")) and 
+   not process.name : "conhost.exe"
+   ]
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1021"
+name = "Remote Services"
+reference = "https://attack.mitre.org/techniques/T1021/"
+
+
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"