From 3deff0eeb863d08196b9b155f22294b06276e05d Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Wed, 2 Dec 2020 21:20:13 +0100 Subject: [PATCH] [New Rule] Remote Execution via File Shares (#455) * [New Rule] Remote Execution via File Shares * removed timeline_id * fixed tags * added extension to reduce response time * Update rules/windows/lateral_movement_execution_via_file_shares_sequence.toml Co-authored-by: Justin Ibarra * ecs_version * Update rules/windows/lateral_movement_execution_via_file_shares_sequence.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> --- ...nt_execution_via_file_shares_sequence.toml | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 rules/windows/lateral_movement_execution_via_file_shares_sequence.toml diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml new file mode 100644 index 000000000..d1678826e --- /dev/null +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -0,0 +1,42 @@ +[metadata] +creation_date = "2020/11/03" +maturity = "production" +updated_date = "2020/11/03" + +[rule] +author = ["Elastic"] +description = """ +Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement +via network file shares. +""" +from = "now-9m" +index = ["logs-endpoint.events.*", "winlogbeat-*"] +language = "eql" +license = "Elastic License" +name = "Remote Execution via File Shares" +references = ["https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html"] +risk_score = 47 +rule_id = "ab75c24b-2502-43a0-bf7c-e60e662c811e" +severity = "medium" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"] +type = "eql" + +query = ''' +sequence with maxspan=1m + [file where event.type in ("creation", "change") and process.pid == 4 and file.extension : "exe"] by host.id, file.path + [process where event.type in ("start", "process_started")] by host.id, process.executable +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1077" +name = "Windows Admin Shares" +reference = "https://attack.mitre.org/techniques/T1077/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/"