diff --git a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml similarity index 79% rename from rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml rename to rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml index 562dcc848..d7a5da067 100644 --- a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/persistence_via_xp_cmdshell_mssql_stored_procedure.toml @@ -58,17 +58,42 @@ references = ["https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ risk_score = 73 rule_id = "4ed493fc-d637-4a36-80ff-ac84937e5461" severity = "high" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "windows" and event.type == "start" and - process.name : "cmd.exe" and process.parent.name : "sqlservr.exe" and - not process.args : ("\\\\*", "diskfree", "rmdir", "mkdir", "dir", "del", "rename", "bcp", "*XMLNAMESPACES*", - "?:\\MSSQL\\Backup\\Jobs\\sql_agent_backup_job.ps1", "K:\\MSSQL\\Backup\\msdb", "K:\\MSSQL\\Backup\\Logins") +process where host.os.type == "windows" and event.type == "start" and process.parent.name : "sqlservr.exe" and + ( + (process.name : "cmd.exe" and + not process.args : ("\\\\*", "diskfree", "rmdir", "mkdir", "dir", "del", "rename", "bcp", "*XMLNAMESPACES*", + "?:\\MSSQL\\Backup\\Jobs\\sql_agent_backup_job.ps1", "K:\\MSSQL\\Backup\\msdb", "K:\\MSSQL\\Backup\\Logins")) or + + (process.name : "vpnbridge.exe" or process.pe.original_file_name : "vpnbridge.exe") or + + (process.name : "certutil.exe" or process.pe.original_file_name == "CertUtil.exe") or + + (process.name : "bitsadmin.exe" or process.pe.original_file_name == "bitsadmin.exe") + ) ''' +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + +[[rule.threat.technique.subtechnique]] +id = "T1505.001" +name = "SQL Stored Procedures" +reference = "https://attack.mitre.org/techniques/T1505/001/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules_building_block/collection_archive_data_zip_imageload.toml b/rules_building_block/collection_archive_data_zip_imageload.toml index 757ae8b42..8026bd146 100644 --- a/rules_building_block/collection_archive_data_zip_imageload.toml +++ b/rules_building_block/collection_archive_data_zip_imageload.toml @@ -21,7 +21,7 @@ name = "Compression DLL Loaded by Unusual Process" risk_score = 21 rule_id = "d197478e-39f0-4347-a22f-ba654718b148" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Endgame", "Rule Type: BBR"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "eql" building_block_type = "default" diff --git a/rules_building_block/initial_access_unusual_process_sql_accounts.toml b/rules_building_block/initial_access_unusual_process_sql_accounts.toml new file mode 100644 index 000000000..80d8aa5b7 --- /dev/null +++ b/rules_building_block/initial_access_unusual_process_sql_accounts.toml @@ -0,0 +1,79 @@ +[metadata] +creation_date = "2023/08/25" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/25" +bypass_bbr_timing = true + +[rule] +author = ["Elastic"] +description = """ +Identifies unusual process executions using MSSQL Service accounts, which can indicate the exploitation/compromise of SQL +instances. Attackers may exploit exposed MSSQL instances for initial access or lateral movement. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Unusual Process For MSSQL Service Accounts" +references = [ + "https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/", + "https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions?view=sql-server-ver16" +] +risk_score = 21 +rule_id = "e74d645b-fec6-431e-bf93-ca64a538e0de" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend", "Rule Type: BBR"] +timestamp_override = "event.ingested" +type = "eql" +building_block_type = "default" + +query = ''' +process where event.type == "start" and host.os.type == "windows" and + user.name : ( + "SQLSERVERAGENT", "SQLAGENT$*", + "MSSQLSERVER", "MSSQL$*", + "MSSQLServerOLAPService", + "ReportServer*", "MsDtsServer150", + "MSSQLFDLauncher*", + "SQLServer2005SQLBrowserUser$*", + "SQLWriter", "winmgmt" + ) and user.domain : "NT SERVICE" and + not ( + process.name : ( + "sqlceip.exe", "sqlservr.exe", "sqlagent.exe", + "msmdsrv.exe", "ReportingServicesService.exe", + "MsDtsSrvr.exe", "sqlbrowser.exe" + ) and (process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true) + ) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1505" +name = "Server Software Component" +reference = "https://attack.mitre.org/techniques/T1505/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/"