From 0ab0ea4d10cb1886fecaf66865c33f4c9773061d Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Thu, 20 Jun 2024 10:41:53 -0300 Subject: [PATCH] [New Rule] Potential Privilege Escalation via Service ImagePath Modification (#3757) * [New Rule] Potential Privilege Escalation via Service ImagePath Modification * Update privilege_escalation_reg_service_imagepath_mod.toml * [New Rule] NTDS Dump via Wbadmin * Revert "[New Rule] NTDS Dump via Wbadmin" This reverts commit 09fd513b1e8b35e22c7d1a371b0aa5aa4837cdc5. * Apply suggestions from code review Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update privilege_escalation_reg_service_imagepath_mod.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> (cherry picked from commit c20318d0d05de0b6d952745b1cf5a3d141e03faf) --- ..._escalation_reg_service_imagepath_mod.toml | 136 ++++++++++++++++++ 1 file changed, 136 insertions(+) create mode 100644 rules/windows/privilege_escalation_reg_service_imagepath_mod.toml diff --git a/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml b/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml new file mode 100644 index 000000000..71f91b041 --- /dev/null +++ b/rules/windows/privilege_escalation_reg_service_imagepath_mod.toml @@ -0,0 +1,136 @@ +[metadata] +creation_date = "2024/06/05" +integration = ["endpoint", "windows"] +maturity = "production" +updated_date = "2024/06/05" + +[rule] +author = ["Elastic"] +description = """ +Identifies registry modifications to default services that could enable privilege escalation to SYSTEM. Attackers with +privileges from groups like Server Operators may change the ImagePath of services to executables under their control or +to execute commands. +""" +from = "now-9m" +index = ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Privilege Escalation via Service ImagePath Modification" +references = [ + "https://cube0x0.github.io/Pocing-Beyond-DA/" +] +risk_score = 47 +rule_id = "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", + "Data Source: Sysmon" +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.type == "change" and process.executable != null and + event.action == "modification" and registry.value == "ImagePath" and + registry.key : ( + "*\\ADWS", "*\\AppHostSvc", "*\\AppReadiness", "*\\AudioEndpointBuilder", "*\\AxInstSV", "*\\camsvc", "*\\CertSvc", + "*\\COMSysApp", "*\\CscService", "*\\defragsvc", "*\\DeviceAssociationService", "*\\DeviceInstall", "*\\DevQueryBroker", + "*\\Dfs", "*\\DFSR", "*\\diagnosticshub.standardcollector.service", "*\\DiagTrack", "*\\DmEnrollmentSvc", "*\\DNS", + "*\\dot3svc", "*\\Eaphost", "*\\GraphicsPerfSvc", "*\\hidserv", "*\\HvHost", "*\\IISADMIN", "*\\IKEEXT", + "*\\InstallService", "*\\iphlpsvc", "*\\IsmServ", "*\\LanmanServer", "*\\MSiSCSI", "*\\NcbService", "*\\Netlogon", + "*\\Netman", "*\\NtFrs", "*\\PlugPlay", "*\\Power", "*\\PrintNotify", "*\\ProfSvc", "*\\PushToInstall", "*\\RSoPProv", + "*\\sacsvr", "*\\SENS", "*\\SensorDataService", "*\\SgrmBroker", "*\\ShellHWDetection", "*\\shpamsvc", "*\\StorSvc", + "*\\svsvc", "*\\swprv", "*\\SysMain", "*\\Themes", "*\\TieringEngineService", "*\\TokenBroker", "*\\TrkWks", + "*\\UALSVC", "*\\UserManager", "*\\vm3dservice", "*\\vmicguestinterface", "*\\vmicheartbeat", "*\\vmickvpexchange", + "*\\vmicrdv", "*\\vmicshutdown", "*\\vmicvmsession", "*\\vmicvss", "*\\vmvss", "*\\VSS", "*\\w3logsvc", "*\\W3SVC", + "*\\WalletService", "*\\WAS", "*\\wercplsupport", "*\\WerSvc", "*\\Winmgmt", "*\\wisvc", "*\\wmiApSrv", + "*\\WPDBusEnum", "*\\WSearch" + ) and + not ( + registry.data.strings : ( + "?:\\Windows\\system32\\*.exe", + "%systemroot%\\system32\\*.exe", + "%windir%\\system32\\*.exe", + "%SystemRoot%\\system32\\svchost.exe -k *", + "%windir%\\system32\\svchost.exe -k *" + ) and + not registry.data.strings : ( + "*\\cmd.exe", + "*\\cscript.exe", + "*\\ieexec.exe", + "*\\iexpress.exe", + "*\\installutil.exe", + "*\\Microsoft.Workflow.Compiler.exe", + "*\\msbuild.exe", + "*\\mshta.exe", + "*\\msiexec.exe", + "*\\msxsl.exe", + "*\\net.exe", + "*\\powershell.exe", + "*\\pwsh.exe", + "*\\reg.exe", + "*\\RegAsm.exe", + "*\\RegSvcs.exe", + "*\\regsvr32.exe", + "*\\rundll32.exe", + "*\\vssadmin.exe", + "*\\wbadmin.exe", + "*\\wmic.exe", + "*\\wscript.exe" + ) + ) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1543" +name = "Create or Modify System Process" +reference = "https://attack.mitre.org/techniques/T1543/" +[[rule.threat.technique.subtechnique]] +id = "T1543.003" +name = "Windows Service" +reference = "https://attack.mitre.org/techniques/T1543/003/" + +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.011" +name = "Services Registry Permissions Weakness" +reference = "https://attack.mitre.org/techniques/T1574/011/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1569" +name = "System Services" +reference = "https://attack.mitre.org/techniques/T1569/" +[[rule.threat.technique.subtechnique]] +id = "T1569.002" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1569/002/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +