[New Rule] Potential Credential Access via Renamed COM+ Services DLL (#1569)
* [New Rule] Potential Credential Access via Renamed COM+ Services DLL
* update dates
* adding config note
* relinted
* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* update minstack version
* minstack not needed, rule should work on previous versions
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
(cherry picked from commit d1636258e4)
This commit is contained in:
Samirbous
committed by
github-actions[bot]
github-actions[bot]
parent
97bb3d5bc4
commit
3e5ed57546
@@ -0,0 +1,59 @@
|
||||
[metadata]
|
||||
creation_date = "2021/10/17"
|
||||
updated_date = "2021/10/17"
|
||||
maturity = "production"
|
||||
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a
|
||||
process memory. This may indicate an attempt to dump LSASS memory while bypassing command line based detection in
|
||||
preparation for credential access.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["winlogbeat-*", "logs-windows.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Potential Credential Access via Renamed COM+ Services DLL"
|
||||
note = """## Config
|
||||
|
||||
You will need to enable logging of ImageLoads in your Sysmon configuration to include COMSVCS.DLL by Imphash or Original
|
||||
File Name."""
|
||||
references = ["https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/"]
|
||||
risk_score = 73
|
||||
rule_id = "c5c9f591-d111-4cf8-baec-c26a39bc31ef"
|
||||
severity = "high"
|
||||
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
sequence by process.entity_id with maxspan=1m
|
||||
[process where event.category == "process" and
|
||||
process.name : "rundll32.exe"]
|
||||
[process where event.category == "process" and event.dataset : "windows.sysmon_operational" and event.code == "7" and
|
||||
(file.pe.original_file_name : "COMSVCS.DLL" or file.pe.imphash : "EADBCCBB324829ACB5F2BBE87E5549A8") and
|
||||
/* renamed COMSVCS */
|
||||
not file.name : "COMSVCS.DLL"]
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
reference = "https://attack.mitre.org/techniques/T1003/"
|
||||
id = "T1003"
|
||||
name = "OS Credential Dumping"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
reference = "https://attack.mitre.org/techniques/T1003/001/"
|
||||
id = "T1003.001"
|
||||
name = "LSASS Memory"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
reference = "https://attack.mitre.org/tactics/TA0006/"
|
||||
id = "TA0006"
|
||||
name = "Credential Access"
|
||||
|
||||
Reference in New Issue
Block a user