security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New] First Time Seen NewCredentials Lgon Process (#3276)

Browse Source 
* Create privilege_escalation_newcreds_logon_rare_process.toml

* Update privilege_escalation_newcreds_logon_rare_process.toml

* Update privilege_escalation_newcreds_logon_rare_process.toml

* Update privilege_escalation_newcreds_logon_rare_process.toml

* Update rules/windows/privilege_escalation_newcreds_logon_rare_process.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 88f752bf8b)
This commit is contained in:
Samirbous
2023-11-27 18:37:15 +00:00
committed by github-actions[bot]
parent a3388dbf36
commit 315b4df8ca
1 changed files with 56 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/privilege_escalation_newcreds_logon_rare_process.toml
+56
View File
@@ -0,0 +1,56 @@
[metadata]
creation_date = "2023/11/15"
integration = ["system", "windows"]
maturity = "production"
min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4"
min_stack_version = "8.4.0"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
description = """
Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access token
forging capability that are often abused to bypass access control restrictions.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
language = "kuery"
license = "Elastic License v2"
name = "First Time Seen NewCredentials Logon Process"
risk_score = 47
rule_id = "e468f3f6-7c4c-45bb-846a-053738b3fe5d"
severity = "medium"
references = ["https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-manipulation"]
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
event.category:"authentication" and host.os.type:"windows" and winlog.logon.type:"NewCredentials" and winlog.event_data.LogonProcessName:(Advapi* or "Advapi ")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1134"
name = "Access Token Manipulation"
reference = "https://attack.mitre.org/techniques/T1134/"
[[rule.threat.technique.subtechnique]]
id = "T1134.001"
name = "Token Impersonation/Theft"
reference = "https://attack.mitre.org/techniques/T1134/001/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[rule.new_terms]
field = "new_terms_fields"
value = ["process.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"