From 3f8a7573f78554320abce8eccc24a508d1e8106f Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Tue, 8 Dec 2020 11:31:03 +0100 Subject: [PATCH] [New Rule] Remotely Started Services (#542) * [New Rule] Remotely Started Services * added a common FP msiexec * Update lateral_movement_remote_services.toml * eql syntax * Update rules/windows/lateral_movement_remote_services.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update lateral_movement_remote_services.toml * port numb * ecs_version * added RPC to alert name * Update rules/windows/lateral_movement_remote_services.toml Co-authored-by: Justin Ibarra Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra --- .../lateral_movement_remote_services.toml | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 rules/windows/lateral_movement_remote_services.toml diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml new file mode 100644 index 000000000..64cef67cf --- /dev/null +++ b/rules/windows/lateral_movement_remote_services.toml @@ -0,0 +1,51 @@ +[metadata] +creation_date = "2020/11/16" +maturity = "production" +updated_date = "2020/11/16" + +[rule] +author = ["Elastic"] +description = """ +Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral +movement, but will be noisy if commonly done by administrators." +""" +from = "now-9m" +index = ["logs-endpoint.events.*", "winlogbeat-*"] +language = "eql" +license = "Elastic License" +name = "Remotely Started Services via RPC" +risk_score = 47 +rule_id = "aa9a274d-6b53-424d-ac5e-cb8ca4251650" +severity = "medium" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Execution"] +type = "eql" + +query = ''' +sequence with maxspan=1s + [network where process.name : "services.exe" and + network.direction == "incoming" and network.transport == "tcp" and + source.port >= 49152 and destination.port >= 49152 and source.address not in ("127.0.0.1", "::1") + ] by host.id, process.entity_id + + [process where event.type in ("start", "process_started") and process.parent.name : "services.exe" and + not (process.name : "svchost.exe" and process.args : "tiledatamodelsvc") and + not (process.name : "msiexec.exe" and process.args : "/V") + + /* uncomment if psexec is noisy in your environment */ + /* and not process.name : "PSEXESVC.exe" */ + ] by host.id, process.parent.entity_id +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1035" +name = "Service Execution" +reference = "https://attack.mitre.org/techniques/T1035/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/"