[Security Content] Add Investigation Guides - 5 (#1895)

* [Security Content] Add Investigation Guides - 5 Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> (cherry picked from commit 46f5af436e)
2022-04-12 21:12:59 -03:00
parent 7fdf870d31
commit 03677ca4e8
10 changed files with 423 additions and 10 deletions
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/25"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/03/28"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,46 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Port Forwarding Rule Addition"
-note = """## Config
+note = """## Triage and analysis
+
+### Investigating Port Forwarding Rule Addition
+
+Network port forwarding is a mechanism to redirect incoming TCP connections (IPv4 or IPv6) from the local TCP port to
+any other port number, or even to a port on a remote computer.
+
+Attackers may configure port forwarding rules to bypass network segmentation restrictions, using the host as a jump box
+to access previously unreachable systems.
+
+This rule monitors the modifications to the `HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\` subkeys.
+
+#### Possible investigation steps
+
+- Investigate the process execution chain (parent process tree).
+- Identify the user account that performed the action and whether it should perform this kind of action.
+- Contact the account owner and confirm whether they are aware of this activity.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Check for similar behavior in other hosts in the environment.
+- Identify the target host IP address, verify if connections were made from the host where the modification occurred,
+and which credentials were used.
+  - Investigate suspicious login activity, such as unauthorized access, logins outside working hours, and from unusual locations.
+
+### False positive analysis
+
+- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity
+and there are justifications for this configuration.
+- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination
+of user and command line conditions.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Delete the port forwarding rule.
+- Isolate the involved host to prevent further post-compromise behavior.
+- If potential malware or credential compromise activities were discovered during the triage of the alert, activate the
+respective incident response plan.
+
+
+## Config

 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
@@ -14,7 +14,45 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Remote Desktop Tunneling Detected"
-note = """## Config
+note = """## Triage and analysis
+
+### Investigating Potential Remote Desktop Tunneling Detected
+
+Protocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases,
+ranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would
+filter to reach its destination.
+
+Attackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP
+connections but may be more permissive to other protocols.
+
+This rule looks for command lines involving the `3389` port, which RDP uses by default, and options commonly associated
+with tools that perform tunneling.
+
+#### Possible investigation steps
+
+- Investigate the process execution chain (parent process tree).
+- Identify the user account that performed the action and whether it should perform this kind of action.
+- Contact the account owner and confirm whether they are aware of this activity.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Determine if the activity is unique by validating if other machines in the organization have similar entries.
+- Examine network data to determine if the host communicated with external servers using the tunnel.
+
+### False positive analysis
+
+- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.
+- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved host to prevent further post-compromise behavior.
+- Disable the involved accounts, or restrict their ability to log on remotely.
+- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
+- Take actions to disable the tunneling.
+- Investigate the initial attack vector.
+
+
+## Config

 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
@@ -14,7 +14,56 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Remote File Download via Desktopimgdownldr Utility"
-note = """## Config
+note = """## Triage and analysis
+
+### Investigating Remote File Download via Desktopimgdownldr Utility
+
+Attackers commonly transfer tooling or malware from external systems into the compromised environment using the command
+and control channel. However, they can also abuse signed utilities to drop these files.
+
+The `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, but can be abused with the
+`lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.
+
+#### Possible investigation steps
+
+- Investigate the process execution chain (parent process tree).
+- Identify the user account that performed the action and whether it should perform this kind of action.
+- Contact the account owner and confirm whether they are aware of this activity.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Determine if the activity is unique by validating if other machines in the organization have similar entries.
+- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file
+from an internal system.
+- Retrieve the file and determine if it is malicious:
+  - Identify the file type.
+  - Use a private sandboxed malware analysis system to perform analysis.
+    - Observe and collect information about the following activities:
+      - Attempts to contact external domains and addresses.
+      - File and registry access, modification, and creation activities.
+      - Service creation and launch activities.
+      - Scheduled tasks creation.
+  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
+    - Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+
+### False positive analysis
+
+- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions
+if necessary.
+- Analysts can dismiss the alert if the downloaded file is a legitimate image.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved host to prevent further post-compromise behavior.
+- If the triage identified malware, search the environment for additional compromised hosts.
+  - Implement any temporary network rules, procedures, and segmentation required to contain the malware.
+  - Immediately block the IoCs identified.
+- Remove and block malicious artifacts identified on the triage.
+- Disable the involved accounts, or restrict their ability to log on remotely.
+- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
+- Investigate the initial attack vector.
+
+
+## Config

 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
@@ -14,8 +14,49 @@ name = "Remote File Download via MpCmdRun"
 note = """## Triage and analysis

 ### Investigating Remote File Download via MpCmdRun
+
+Attackers commonly transfer tooling or malware from external systems into the compromised environment using the command
+and control channel. However, they can also abuse signed utilities to drop these files.
+
+The `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows
+Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files,
+including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.
+
+#### Possible investigation steps
+
+- Investigate the process execution chain (parent process tree).
+- Identify the user account that performed the action and whether it should perform this kind of action.
+- Contact the account owner and confirm whether they are aware of this activity.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Check the reputation of the domain or IP address used to host the downloaded file.
+- Retrieve the file and determine if it is malicious:
+  - Use a private sandboxed malware analysis system to perform analysis.
+    - Observe and collect information about the following activities:
+      - Attempts to contact external domains and addresses.
+      - File and registry access, modification, and creation activities.
+      - Service creation and launch activities.
+      - Scheduled tasks creation.
+  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
+    - Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+
+### False positive analysis
+
+- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved host to prevent further post-compromise behavior.
+- If the triage identified malware, search the environment for additional compromised hosts.
+  - Implement any temporary network rules, procedures, and segmentation required to contain the malware.
+  - Immediately block the IoCs identified.
+- Remove and block malicious artifacts identified on the triage.
+- Disable the involved accounts, or restrict their ability to log on remotely.
+- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
+- Investigate the initial attack vector.
 Verify details such as the parent process, URL reputation, and downloaded file details. Additionally, `MpCmdRun` logs this information in the Appdata Temp folder in `MpCmdRun.log`.

+
 ## Config

 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/30"
 maturity = "production"
-updated_date = "2021/10/17"
+updated_date = "2022/03/28"

 [rule]
 author = ["Elastic"]
@@ -11,6 +11,52 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Remote File Download via PowerShell"
+note = """## Triage and analysis
+
+### Investigating Remote File Download via PowerShell
+
+Attackers commonly transfer tooling or malware from external systems into the compromised environment using the command
+and control channel. However, they can also abuse signed utilities to drop these files.
+
+PowerShell is one of system administrators' main tools for automation, report routines, and other tasks. This makes it
+available for use in various environments and creates an attractive way for attackers to execute code and perform
+actions. This rule correlates network and file events to detect downloads of executable and script files performed using
+PowerShell.
+
+#### Possible investigation steps
+
+- Investigate the process execution chain (parent process tree).
+- Identify the user account that performed the action and whether it should perform this kind of action.
+- Consider whether the user needs PowerShell to complete its tasks.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Check the reputation of the domain or IP address used to host the downloaded file.
+- Retrieve the file and determine if it is malicious:
+  - Use a private sandboxed malware analysis system to perform analysis.
+    - Observe and collect information about the following activities:
+      - Attempts to contact external domains and addresses.
+      - File and registry access, modification, and creation activities.
+      - Service creation and launch activities.
+      - Scheduled tasks creation.
+  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
+    - Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+
+### False positive analysis
+
+- Administrators can use PowerShell legitimately to download executable and script files. Analysts can dismiss the alert
+if the Administrator is aware of the activity and the triage has not identified suspicious or malicious files.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved host to prevent further post-compromise behavior.
+- If the triage identified malware, search the environment for additional compromised hosts.
+  - Implement any temporary network rules, procedures, and segmentation required to contain the malware.
+  - Immediately block the IoCs identified.
+- Remove and block malicious artifacts identified on the triage.
+- Disable the involved accounts, or restrict their ability to log on remotely.
+- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
+- Investigate the initial attack vector.
+"""
 risk_score = 47
 rule_id = "33f306e8-417c-411b-965c-c2812d6d3f4d"
 severity = "medium"
@@ -11,7 +11,52 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Remote File Copy via TeamViewer"
-note = """## Config
+note = """## Triage and analysis
+
+### Investigating Remote File Copy via TeamViewer
+
+Attackers commonly transfer tooling or malware from external systems into the compromised environment using the command
+and control channel. However, they can also abuse legitimate utilities to drop these files.
+
+TeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various
+support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other
+malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.
+
+#### Possible investigation steps
+
+- Investigate the process execution chain (parent process tree).
+- Contact the user to gather information about who and why was conducting the remote access.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this
+access.
+- Retrieve the file and determine if it is malicious:
+  - Use a private sandboxed malware analysis system to perform analysis.
+    - Observe and collect information about the following activities:
+      - Attempts to contact external domains and addresses.
+      - File and registry access, modification, and creation activities.
+      - Service creation and launch activities.
+      - Scheduled tasks creation.
+  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
+    - Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+
+### False positive analysis
+
+- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct
+remote access and the triage has not identified suspicious or malicious files.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved host to prevent further post-compromise behavior.
+- If the triage identified malware, search the environment for additional compromised hosts.
+  - Implement any temporary network rules, procedures, and segmentation required to contain the malware.
+  - Immediately block the IoCs identified.
+- Remove and block malicious artifacts identified on the triage.
+- Disable the involved accounts, or restrict their ability to log on remotely.
+- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
+
+
+## Config

 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
@@ -11,10 +11,52 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Adobe Hijack Persistence"
-note = """## Config
+note = """## Triage and analysis
+
+### Investigating Adobe Hijack Persistence
+
+Attackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched
+whenever Adobe Acrobat Reader is executed.
+
+#### Possible investigation steps
+
+- Investigate the process execution chain (parent process tree).
+- Identify the user account that performed the action.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Check for similar behavior in other hosts in the environment.
+- Retrieve the file and determine if it is malicious:
+  - Use a private sandboxed malware analysis system to perform analysis.
+    - Observe and collect information about the following activities:
+      - Attempts to contact external domains and addresses.
+      - File and registry access, modification, and creation activities.
+      - Service creation and launch activities.
+      - Scheduled tasks creation.
+  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
+    - Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+
+### False positive analysis
+
+- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved host to prevent further post-compromise behavior.
+- If the triage identified malware, search the environment for additional compromised hosts.
+  - Implement any temporary network rules, procedures, and segmentation required to contain the malware.
+  - Immediately block the IoCs identified.
+- Remove and block malicious artifacts identified on the triage.
+- Disable the involved accounts, or restrict their ability to log on remotely.
+- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
+
+
+## Config

 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
+references = [
+    "https://twitter.com/pabraeken/status/997997818362155008",
+]
 risk_score = 21
 rule_id = "2bf78aa2-9c56-48de-b139-f169bf99cf86"
 severity = "low"
@@ -15,7 +15,54 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Modification of Accessibility Binaries"
-note = """## Config
+note = """## Triage and analysis
+
+### Investigating Potential Modification of Accessibility Binaries
+
+Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by
+accessibility features. Windows contains accessibility features that may be launched with a key combination before a
+user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs
+are launched to get a command prompt or backdoor without logging in to the system.
+
+More details can be found [here](https://attack.mitre.org/techniques/T1546/008/).
+
+This rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features
+binaries' original file names, which is likely a custom binary deployed by the attacker.
+
+#### Possible investigation steps
+
+- Investigate the process execution chain (parent process tree).
+- Identify the user account that performed the action and whether it should perform this kind of action.
+- Contact the account owner and confirm whether they are aware of this activity.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Check for similar behavior in other hosts in the environment.
+- Retrieve the file and determine if it is malicious:
+  - Use a private sandboxed malware analysis system to perform analysis.
+    - Observe and collect information about the following activities:
+      - Attempts to contact external domains and addresses.
+      - File and registry access, modification, and creation activities.
+      - Service creation and launch activities.
+      - Scheduled tasks creation.
+  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
+    - Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+
+### False positive analysis
+
+- This activity should not happen legitimately. The security team should address any potential benign true positive
+(B-TP), as this configuration can put the user and the domain at risk.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved host to prevent further post-compromise behavior.
+- If the triage identified malware, search the environment for additional compromised hosts.
+  - Implement any temporary network rules, procedures, and segmentation required to contain the malware.
+  - Immediately block the IoCs identified.
+- Remove and block malicious artifacts identified on the triage.
+- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
+
+
+## Config

 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
@@ -14,7 +14,41 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "System Shells via Services"
-note = """## Config
+note = """## Triage and analysis
+
+### Investigating System Shells via Services
+
+Attackers may configure existing services or create new ones to execute system shells to elevate their privileges from
+administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.
+
+This rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.
+
+#### Possible investigation steps
+
+- Investigate the process execution chain (parent process tree).
+- Identify how the service was created or modified (Look for registry changes events or Windows events related to
+service activities (i.e., 4697 and/or 7045)).
+  - Identify the user account that performed the action and whether it should perform this kind of action.
+- Contact the account owner and confirm whether they are aware of this activity.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Check for similar behavior in other hosts in the environment.
+- Check for commands executed under the spawned shell.
+
+### False positive analysis
+
+- This activity should not happen legitimately. The security team should address any potential benign true positive
+(B-TP), as this configuration can put the user and the domain at risk.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved host to prevent further post-compromise behavior.
+- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
+- Delete the service or restore it to the original configuration.
+- Investigate the initial attack vector.
+
+
+## Config

 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
@@ -15,7 +15,39 @@ index = ["winlogbeat-*", "logs-windows.*", "logs-system.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "User Added to Privileged Group in Active Directory"
-note = """## Config
+note = """## Triage and analysis
+
+### Investigating User Added to Privileged Group in Active Directory
+
+Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are
+granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.
+
+Attackers can add users to privileged groups to maintain their level of access if other privileged accounts they do have
+access to get uncovered by the security team. This way, they can continue their operations even after the discovery of
+an abused account.
+
+This rule monitors events related to the addition of a user to one of the privileged groups.
+
+#### Possible investigation steps
+
+- Identify the user account that performed the action and whether it should manage members of this group.
+- Contact the account owner and confirm whether they are aware of this activity.
+- Investigate other alerts associated with the user during the past 48 hours.
+
+### False positive analysis
+
+- This attack abuses a legitimate Active Directory mechanism, so it is important to determine whether the activity is
+legitimate, if the administrator is authorized to perform this operation, and if there is a need to grant the account
+this level of privilege.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- If the admin is not aware of the operation, activate your Active Directory incident response plan.
+- If the user does not need the administrator privileges, remove the account from the privileged group.
+
+
+## Config

 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """