From 34b37c0bfd0f8805e3cf0fb71bce9c1c84cec331 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Wed, 21 Jul 2021 02:08:04 -0500 Subject: [PATCH] [Rule Tuning] Mimikatz powershell module activity detected (#1297) * update query * add indexes (cherry picked from commit 95e6458c6ef553c5da1b0059aae15371ebefe904) --- .../credential_access_mimikatz_powershell_module.toml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/rules/windows/credential_access_mimikatz_powershell_module.toml b/rules/windows/credential_access_mimikatz_powershell_module.toml index a18ca86a8..34d7bb5af 100644 --- a/rules/windows/credential_access_mimikatz_powershell_module.toml +++ b/rules/windows/credential_access_mimikatz_powershell_module.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/07" maturity = "development" -updated_date = "2021/05/10" +updated_date = "2021/06/17" [rule] author = ["Elastic"] @@ -11,10 +11,10 @@ other features that make it useful for testing the security of networks. This ru PowerShell command. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" -name = "Mimikatz Powershell Module Activity Detected" +name = "Mimikatz Powershell Module Activity" note = """## Triage and analysis This rule identifies an adversary attempt to collect, decrypt, and/or use cached credentials. Alerts from this rule should be prioritized because an adversary has an initial foothold onto an endpoint.""" @@ -27,11 +27,10 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type in ("start", "process_started") and process.name in ("cmd.exe", "powershell.exe") +process where event.type in ("start", "process_started") and process.name : ("cmd.exe", "powershell.exe", "pwsh.exe") and process.args : ("*DumpCreds", "*Mimikatz*") ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -44,4 +43,3 @@ reference = "https://attack.mitre.org/techniques/T1003/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" -