MInor changes from Investigation Guides Review (#1927)
(cherry picked from commit 258418785f)
This commit is contained in:
Jonhnathan
committed by
github-actions[bot]
github-actions[bot]
parent
10bc32b9aa
commit
2889bf7d4e
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/25"
|
||||
maturity = "production"
|
||||
updated_date = "2022/03/28"
|
||||
updated_date = "2022/04/13"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -32,10 +32,10 @@ This rule monitors the modifications to the `HKLM\\SYSTEM\\*ControlSet*\\Service
|
||||
- Identify the user account that performed the action and whether it should perform this kind of action.
|
||||
- Contact the account owner and confirm whether they are aware of this activity.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Check for similar behavior in other hosts in the environment.
|
||||
- Check for similar behavior in other hosts on the environment.
|
||||
- Identify the target host IP address, verify if connections were made from the host where the modification occurred,
|
||||
and which credentials were used.
|
||||
- Investigate suspicious login activity, such as unauthorized access, logins outside working hours, and from unusual locations.
|
||||
and check what credentials were used to perform it.
|
||||
- Investigate suspicious login activity, such as unauthorized access and logins from outside working hours and unusual locations.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
@@ -49,8 +49,8 @@ of user and command line conditions.
|
||||
- Initiate the incident response process based on the outcome of the triage.
|
||||
- Delete the port forwarding rule.
|
||||
- Isolate the involved host to prevent further post-compromise behavior.
|
||||
- If potential malware or credential compromise activities were discovered during the triage of the alert, activate the
|
||||
respective incident response plan.
|
||||
- If potential malware or credential compromise activities were discovered during the alert triage, activate the respective
|
||||
incident response plan.
|
||||
|
||||
|
||||
## Config
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/10/14"
|
||||
maturity = "production"
|
||||
updated_date = "2022/03/31"
|
||||
updated_date = "2022/04/13"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -20,12 +20,12 @@ note = """## Triage and analysis
|
||||
|
||||
Protocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases,
|
||||
ranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would
|
||||
filter to reach its destination.
|
||||
filter to reach their destination.
|
||||
|
||||
Attackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP
|
||||
connections but may be more permissive to other protocols.
|
||||
|
||||
This rule looks for command lines involving the `3389` port, which RDP uses by default, and options commonly associated
|
||||
This rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated
|
||||
with tools that perform tunneling.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/09/03"
|
||||
maturity = "production"
|
||||
updated_date = "2022/03/31"
|
||||
updated_date = "2022/04/13"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -18,10 +18,10 @@ note = """## Triage and analysis
|
||||
|
||||
### Investigating Remote File Download via Desktopimgdownldr Utility
|
||||
|
||||
Attackers commonly transfer tooling or malware from external systems into the compromised environment using the command
|
||||
Attackers commonly transfer tooling or malware from external systems into a compromised environment using the command
|
||||
and control channel. However, they can also abuse signed utilities to drop these files.
|
||||
|
||||
The `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, but can be abused with the
|
||||
The `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the
|
||||
`lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/09/03"
|
||||
maturity = "production"
|
||||
updated_date = "2022/03/31"
|
||||
updated_date = "2022/04/13"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -15,7 +15,7 @@ note = """## Triage and analysis
|
||||
|
||||
### Investigating Remote File Download via MpCmdRun
|
||||
|
||||
Attackers commonly transfer tooling or malware from external systems into the compromised environment using the command
|
||||
Attackers commonly transfer tooling or malware from external systems into a compromised environment using the command
|
||||
and control channel. However, they can also abuse signed utilities to drop these files.
|
||||
|
||||
The `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/30"
|
||||
maturity = "production"
|
||||
updated_date = "2022/03/28"
|
||||
updated_date = "2022/04/13"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -15,7 +15,7 @@ note = """## Triage and analysis
|
||||
|
||||
### Investigating Remote File Download via PowerShell
|
||||
|
||||
Attackers commonly transfer tooling or malware from external systems into the compromised environment using the command
|
||||
Attackers commonly transfer tooling or malware from external systems into a compromised environment using the command
|
||||
and control channel. However, they can also abuse signed utilities to drop these files.
|
||||
|
||||
PowerShell is one of system administrators' main tools for automation, report routines, and other tasks. This makes it
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/29"
|
||||
maturity = "production"
|
||||
updated_date = "2022/03/23"
|
||||
updated_date = "2022/04/13"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -37,7 +37,7 @@ This rule looks for DLLs and executables downloaded using `cscript.exe` or `wscr
|
||||
- Manually analyze the script to determine if malicious capabilities are present.
|
||||
- Investigate whether the potential malware ran successfully, is active on the host, or was stopped by defenses.
|
||||
- Investigate other alerts related to the user/host in the last 48 hours.
|
||||
- Check for similar behavior in other hosts in the environment.
|
||||
- Check for similar behavior in other hosts on the environment.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/12/14"
|
||||
maturity = "production"
|
||||
updated_date = "2022/03/23"
|
||||
updated_date = "2022/04/13"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -44,7 +44,7 @@ by imitating the Orion Improvement Program (OIP) protocol behavior.
|
||||
- Investigate whether the potential malware ran successfully, is active on the host, or was stopped by defenses.
|
||||
- Investigate the network traffic.
|
||||
- Investigate other alerts related to the user/host in the last 48 hours.
|
||||
- Check for similar behavior in other hosts in the environment.
|
||||
- Check for similar behavior in other hosts on the environment.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/09/02"
|
||||
maturity = "production"
|
||||
updated_date = "2022/03/31"
|
||||
updated_date = "2022/04/13"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -15,7 +15,7 @@ note = """## Triage and analysis
|
||||
|
||||
### Investigating Remote File Copy via TeamViewer
|
||||
|
||||
Attackers commonly transfer tooling or malware from external systems into the compromised environment using the command
|
||||
Attackers commonly transfer tooling or malware from external systems into a compromised environment using the command
|
||||
and control channel. However, they can also abuse legitimate utilities to drop these files.
|
||||
|
||||
TeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2021/07/20"
|
||||
maturity = "production"
|
||||
updated_date = "2022/04/06"
|
||||
updated_date = "2022/04/13"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -30,7 +30,7 @@ was observed in 2018 where Trickbot incorporated mechanisms to disable Windows D
|
||||
- Identify the user account that performed the action and whether it should perform this kind of action.
|
||||
- Contact the account owner and confirm whether they are aware of this activity.
|
||||
- Examine the exclusion in order to determine the intent behind it.
|
||||
- Check for similar behavior in other hosts in the environment.
|
||||
- Check for similar behavior in other hosts on the environment.
|
||||
- If the exclusion specifies a suspicious file, retrieve it and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
updated_date = "2022/03/31"
|
||||
updated_date = "2022/04/13"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -30,7 +30,7 @@ This rule identifies the deletion of the backup catalog using the `wbadmin.exe`
|
||||
- Identify the user account that performed the action and whether it should perform this kind of action.
|
||||
- Confirm whether the account owner is aware of the operation.
|
||||
- Investigate other alerts related to the user/host in the last 48 hours.
|
||||
- Check for similar behavior in other hosts in the environment.
|
||||
- Check for similar behavior in other hosts on the environment.
|
||||
- Check if any files on the host machine have been encrypted.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/03/16"
|
||||
maturity = "production"
|
||||
updated_date = "2022/03/31"
|
||||
updated_date = "2022/04/13"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -35,7 +35,7 @@ These are common steps in destructive attacks by adversaries leveraging ransomwa
|
||||
- Identify the user account that performed the action and whether it should perform this kind of action.
|
||||
- Confirm whether the account owner is aware of the operation.
|
||||
- Investigate other alerts related to the user/host in the last 48 hours.
|
||||
- Check for similar behavior in other hosts in the environment.
|
||||
- Check for similar behavior in other hosts on the environment.
|
||||
- Check if any files on the host machine have been encrypted.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/12/03"
|
||||
maturity = "production"
|
||||
updated_date = "2022/03/23"
|
||||
updated_date = "2022/04/13"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -31,7 +31,7 @@ host within a short time period.
|
||||
- Identify the user account that performed the action and whether it should perform this kind of action.
|
||||
- Confirm whether the account owner is aware of the operation, and why it was performed.
|
||||
- Investigate other alerts related to the user/host in the last 48 hours.
|
||||
- Check for similar behavior in other hosts in the environment.
|
||||
- Check for similar behavior in other hosts on the environment.
|
||||
- Check if any files on the host machine have been encrypted.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
updated_date = "2022/03/31"
|
||||
updated_date = "2022/04/13"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -23,7 +23,7 @@ whenever Adobe Acrobat Reader is executed.
|
||||
- Investigate the process execution chain (parent process tree).
|
||||
- Identify the user account that performed the action.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Check for similar behavior in other hosts in the environment.
|
||||
- Check for similar behavior in other hosts on the environment.
|
||||
- Retrieve the file and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
updated_date = "2022/03/31"
|
||||
updated_date = "2022/04/13"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -35,7 +35,7 @@ binaries' original file names, which is likely a custom binary deployed by the a
|
||||
- Identify the user account that performed the action and whether it should perform this kind of action.
|
||||
- Contact the account owner and confirm whether they are aware of this activity.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Check for similar behavior in other hosts in the environment.
|
||||
- Check for similar behavior in other hosts on the environment.
|
||||
- Retrieve the file and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
updated_date = "2022/03/31"
|
||||
updated_date = "2022/04/13"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -26,12 +26,12 @@ This rule looks for system shells being spawned by `services.exe`, which is comp
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree).
|
||||
- Identify how the service was created or modified (Look for registry changes events or Windows events related to
|
||||
service activities (i.e., 4697 and/or 7045)).
|
||||
- Identify how the service was created or modified. Look for registry changes events or Windows events related to
|
||||
service activities (for example, 4697 and/or 7045).
|
||||
- Identify the user account that performed the action and whether it should perform this kind of action.
|
||||
- Contact the account owner and confirm whether they are aware of this activity.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Check for similar behavior in other hosts in the environment.
|
||||
- Check for similar behavior in other hosts on the environment.
|
||||
- Check for commands executed under the spawned shell.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2021/01/09"
|
||||
maturity = "production"
|
||||
updated_date = "2022/03/31"
|
||||
updated_date = "2022/04/13"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic", "Skoetting"]
|
||||
@@ -22,11 +22,10 @@ note = """## Triage and analysis
|
||||
Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are
|
||||
granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.
|
||||
|
||||
Attackers can add users to privileged groups to maintain their level of access if other privileged accounts they do have
|
||||
access to get uncovered by the security team. This way, they can continue their operations even after the discovery of
|
||||
an abused account.
|
||||
Attackers can add users to privileged groups to maintain a level of access if their other privileged accounts are
|
||||
uncovered by the security team. This allows them to keep operating after the security team discovers abused accounts.
|
||||
|
||||
This rule monitors events related to the addition of a user to one of the privileged groups.
|
||||
This rule monitors events related to a user being added to a privileged group.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2021/11/25"
|
||||
maturity = "production"
|
||||
min_stack_comments = "EQL optional fields syntax was not introduced until 7.16"
|
||||
min_stack_version = "7.16.0"
|
||||
updated_date = "2022/04/06"
|
||||
updated_date = "2022/04/13"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -32,7 +32,7 @@ which is outside the scope of this rule.
|
||||
- Check the executable's digital signature.
|
||||
- Look for additional processes spawned by the process, command lines, and network communications.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Check for similar behavior in other hosts in the environment.
|
||||
- Check for similar behavior in other hosts on the environment.
|
||||
- Retrieve the file and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
|
||||
Reference in New Issue
Block a user