From 2889bf7d4ea1aa7bab18fc4ec60be0a815e3173b Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Wed, 13 Apr 2022 21:53:29 -0300 Subject: [PATCH] MInor changes from Investigation Guides Review (#1927) (cherry picked from commit 258418785f562fe40ba9fa70e9c8fa7863c6d0e1) --- ...d_and_control_port_forwarding_added_registry.toml | 12 ++++++------ .../command_and_control_rdp_tunnel_plink.toml | 6 +++--- ...d_control_remote_file_copy_desktopimgdownldr.toml | 6 +++--- ...ommand_and_control_remote_file_copy_mpcmdrun.toml | 4 ++-- ...mand_and_control_remote_file_copy_powershell.toml | 4 ++-- ...command_and_control_remote_file_copy_scripts.toml | 4 ++-- ...nd_and_control_sunburst_c2_activity_detected.toml | 4 ++-- ...mand_and_control_teamviewer_remote_file_copy.toml | 4 ++-- ...se_evasion_defender_exclusion_via_powershell.toml | 4 ++-- ...impact_deleting_backup_catalogs_with_wbadmin.toml | 4 ++-- .../windows/impact_modification_of_boot_config.toml | 4 ++-- .../impact_stop_process_service_threshold.toml | 4 ++-- .../persistence_adobe_hijack_persistence.toml | 4 ++-- ...e_priv_escalation_via_accessibility_features.toml | 4 ++-- .../persistence_system_shells_via_services.toml | 8 ++++---- ...ce_user_account_added_to_privileged_group_ad.toml | 9 ++++----- .../privilege_escalation_installertakeover.toml | 4 ++-- 17 files changed, 44 insertions(+), 45 deletions(-) diff --git a/rules/windows/command_and_control_port_forwarding_added_registry.toml b/rules/windows/command_and_control_port_forwarding_added_registry.toml index 01f95b37a..ea29f8d07 100644 --- a/rules/windows/command_and_control_port_forwarding_added_registry.toml +++ b/rules/windows/command_and_control_port_forwarding_added_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/25" maturity = "production" -updated_date = "2022/03/28" +updated_date = "2022/04/13" [rule] author = ["Elastic"] @@ -32,10 +32,10 @@ This rule monitors the modifications to the `HKLM\\SYSTEM\\*ControlSet*\\Service - Identify the user account that performed the action and whether it should perform this kind of action. - Contact the account owner and confirm whether they are aware of this activity. - Investigate other alerts associated with the user/host during the past 48 hours. -- Check for similar behavior in other hosts in the environment. +- Check for similar behavior in other hosts on the environment. - Identify the target host IP address, verify if connections were made from the host where the modification occurred, -and which credentials were used. - - Investigate suspicious login activity, such as unauthorized access, logins outside working hours, and from unusual locations. +and check what credentials were used to perform it. + - Investigate suspicious login activity, such as unauthorized access and logins from outside working hours and unusual locations. ### False positive analysis @@ -49,8 +49,8 @@ of user and command line conditions. - Initiate the incident response process based on the outcome of the triage. - Delete the port forwarding rule. - Isolate the involved host to prevent further post-compromise behavior. -- If potential malware or credential compromise activities were discovered during the triage of the alert, activate the -respective incident response plan. +- If potential malware or credential compromise activities were discovered during the alert triage, activate the respective +incident response plan. ## Config diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml index a005c2a26..51e09ed58 100644 --- a/rules/windows/command_and_control_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/14" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/04/13" [rule] author = ["Elastic"] @@ -20,12 +20,12 @@ note = """## Triage and analysis Protocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases, ranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would -filter to reach its destination. +filter to reach their destination. Attackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP connections but may be more permissive to other protocols. -This rule looks for command lines involving the `3389` port, which RDP uses by default, and options commonly associated +This rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated with tools that perform tunneling. #### Possible investigation steps diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index 22a80fa3b..661fd7174 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/04/13" [rule] author = ["Elastic"] @@ -18,10 +18,10 @@ note = """## Triage and analysis ### Investigating Remote File Download via Desktopimgdownldr Utility -Attackers commonly transfer tooling or malware from external systems into the compromised environment using the command +Attackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files. -The `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, but can be abused with the +The `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior. #### Possible investigation steps diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index 8c4ebc02a..2ea22bdca 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/04/13" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ note = """## Triage and analysis ### Investigating Remote File Download via MpCmdRun -Attackers commonly transfer tooling or malware from external systems into the compromised environment using the command +Attackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files. The `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows diff --git a/rules/windows/command_and_control_remote_file_copy_powershell.toml b/rules/windows/command_and_control_remote_file_copy_powershell.toml index d6dcd41e8..14082022b 100644 --- a/rules/windows/command_and_control_remote_file_copy_powershell.toml +++ b/rules/windows/command_and_control_remote_file_copy_powershell.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/30" maturity = "production" -updated_date = "2022/03/28" +updated_date = "2022/04/13" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ note = """## Triage and analysis ### Investigating Remote File Download via PowerShell -Attackers commonly transfer tooling or malware from external systems into the compromised environment using the command +Attackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files. PowerShell is one of system administrators' main tools for automation, report routines, and other tasks. This makes it diff --git a/rules/windows/command_and_control_remote_file_copy_scripts.toml b/rules/windows/command_and_control_remote_file_copy_scripts.toml index 248e75181..8dd6370fa 100644 --- a/rules/windows/command_and_control_remote_file_copy_scripts.toml +++ b/rules/windows/command_and_control_remote_file_copy_scripts.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/29" maturity = "production" -updated_date = "2022/03/23" +updated_date = "2022/04/13" [rule] author = ["Elastic"] @@ -37,7 +37,7 @@ This rule looks for DLLs and executables downloaded using `cscript.exe` or `wscr - Manually analyze the script to determine if malicious capabilities are present. - Investigate whether the potential malware ran successfully, is active on the host, or was stopped by defenses. - Investigate other alerts related to the user/host in the last 48 hours. -- Check for similar behavior in other hosts in the environment. +- Check for similar behavior in other hosts on the environment. ### False positive analysis diff --git a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml index 140db7c99..5c96f1d00 100644 --- a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml +++ b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2022/03/23" +updated_date = "2022/04/13" [rule] author = ["Elastic"] @@ -44,7 +44,7 @@ by imitating the Orion Improvement Program (OIP) protocol behavior. - Investigate whether the potential malware ran successfully, is active on the host, or was stopped by defenses. - Investigate the network traffic. - Investigate other alerts related to the user/host in the last 48 hours. -- Check for similar behavior in other hosts in the environment. +- Check for similar behavior in other hosts on the environment. ### False positive analysis diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index 07eee5d2a..b901f3a1c 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/04/13" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ note = """## Triage and analysis ### Investigating Remote File Copy via TeamViewer -Attackers commonly transfer tooling or malware from external systems into the compromised environment using the command +Attackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files. TeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index 161bfc3cd..70cc8942d 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/07/20" maturity = "production" -updated_date = "2022/04/06" +updated_date = "2022/04/13" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ was observed in 2018 where Trickbot incorporated mechanisms to disable Windows D - Identify the user account that performed the action and whether it should perform this kind of action. - Contact the account owner and confirm whether they are aware of this activity. - Examine the exclusion in order to determine the intent behind it. -- Check for similar behavior in other hosts in the environment. +- Check for similar behavior in other hosts on the environment. - If the exclusion specifies a suspicious file, retrieve it and determine if it is malicious: - Use a private sandboxed malware analysis system to perform analysis. - Observe and collect information about the following activities: diff --git a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml index 5f95bc491..768825cd1 100644 --- a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/04/13" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ This rule identifies the deletion of the backup catalog using the `wbadmin.exe` - Identify the user account that performed the action and whether it should perform this kind of action. - Confirm whether the account owner is aware of the operation. - Investigate other alerts related to the user/host in the last 48 hours. -- Check for similar behavior in other hosts in the environment. +- Check for similar behavior in other hosts on the environment. - Check if any files on the host machine have been encrypted. ### False positive analysis diff --git a/rules/windows/impact_modification_of_boot_config.toml b/rules/windows/impact_modification_of_boot_config.toml index 61c769cdd..daff17a8a 100644 --- a/rules/windows/impact_modification_of_boot_config.toml +++ b/rules/windows/impact_modification_of_boot_config.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/16" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/04/13" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ These are common steps in destructive attacks by adversaries leveraging ransomwa - Identify the user account that performed the action and whether it should perform this kind of action. - Confirm whether the account owner is aware of the operation. - Investigate other alerts related to the user/host in the last 48 hours. -- Check for similar behavior in other hosts in the environment. +- Check for similar behavior in other hosts on the environment. - Check if any files on the host machine have been encrypted. ### False positive analysis diff --git a/rules/windows/impact_stop_process_service_threshold.toml b/rules/windows/impact_stop_process_service_threshold.toml index 69f7c81fd..f167af6cd 100644 --- a/rules/windows/impact_stop_process_service_threshold.toml +++ b/rules/windows/impact_stop_process_service_threshold.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/03" maturity = "production" -updated_date = "2022/03/23" +updated_date = "2022/04/13" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ host within a short time period. - Identify the user account that performed the action and whether it should perform this kind of action. - Confirm whether the account owner is aware of the operation, and why it was performed. - Investigate other alerts related to the user/host in the last 48 hours. -- Check for similar behavior in other hosts in the environment. +- Check for similar behavior in other hosts on the environment. - Check if any files on the host machine have been encrypted. ### False positive analysis diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index 4392d0ea7..363feb5ce 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/04/13" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ whenever Adobe Acrobat Reader is executed. - Investigate the process execution chain (parent process tree). - Identify the user account that performed the action. - Investigate other alerts associated with the user/host during the past 48 hours. -- Check for similar behavior in other hosts in the environment. +- Check for similar behavior in other hosts on the environment. - Retrieve the file and determine if it is malicious: - Use a private sandboxed malware analysis system to perform analysis. - Observe and collect information about the following activities: diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index fd08911f6..0820e1268 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/04/13" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ binaries' original file names, which is likely a custom binary deployed by the a - Identify the user account that performed the action and whether it should perform this kind of action. - Contact the account owner and confirm whether they are aware of this activity. - Investigate other alerts associated with the user/host during the past 48 hours. -- Check for similar behavior in other hosts in the environment. +- Check for similar behavior in other hosts on the environment. - Retrieve the file and determine if it is malicious: - Use a private sandboxed malware analysis system to perform analysis. - Observe and collect information about the following activities: diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index cbea2b74b..ca2923690 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/04/13" [rule] author = ["Elastic"] @@ -26,12 +26,12 @@ This rule looks for system shells being spawned by `services.exe`, which is comp #### Possible investigation steps - Investigate the process execution chain (parent process tree). -- Identify how the service was created or modified (Look for registry changes events or Windows events related to -service activities (i.e., 4697 and/or 7045)). +- Identify how the service was created or modified. Look for registry changes events or Windows events related to +service activities (for example, 4697 and/or 7045). - Identify the user account that performed the action and whether it should perform this kind of action. - Contact the account owner and confirm whether they are aware of this activity. - Investigate other alerts associated with the user/host during the past 48 hours. -- Check for similar behavior in other hosts in the environment. +- Check for similar behavior in other hosts on the environment. - Check for commands executed under the spawned shell. ### False positive analysis diff --git a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml index 46def9e74..281f756bd 100644 --- a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml +++ b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/09" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/04/13" [rule] author = ["Elastic", "Skoetting"] @@ -22,11 +22,10 @@ note = """## Triage and analysis Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems. -Attackers can add users to privileged groups to maintain their level of access if other privileged accounts they do have -access to get uncovered by the security team. This way, they can continue their operations even after the discovery of -an abused account. +Attackers can add users to privileged groups to maintain a level of access if their other privileged accounts are +uncovered by the security team. This allows them to keep operating after the security team discovers abused accounts. -This rule monitors events related to the addition of a user to one of the privileged groups. +This rule monitors events related to a user being added to a privileged group. #### Possible investigation steps diff --git a/rules/windows/privilege_escalation_installertakeover.toml b/rules/windows/privilege_escalation_installertakeover.toml index 3a68f9d15..057df74fa 100644 --- a/rules/windows/privilege_escalation_installertakeover.toml +++ b/rules/windows/privilege_escalation_installertakeover.toml @@ -3,7 +3,7 @@ creation_date = "2021/11/25" maturity = "production" min_stack_comments = "EQL optional fields syntax was not introduced until 7.16" min_stack_version = "7.16.0" -updated_date = "2022/04/06" +updated_date = "2022/04/13" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ which is outside the scope of this rule. - Check the executable's digital signature. - Look for additional processes spawned by the process, command lines, and network communications. - Investigate other alerts associated with the user/host during the past 48 hours. -- Check for similar behavior in other hosts in the environment. +- Check for similar behavior in other hosts on the environment. - Retrieve the file and determine if it is malicious: - Use a private sandboxed malware analysis system to perform analysis. - Observe and collect information about the following activities: