security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Potential Modification of Accessibility Binaries (#546)

Browse Source 
* [Rule Tuning] Potential Modification of Accessibility Binaries

* replaced wildcard by in

* indentation more consistent for readability

* eql syntax

* ecs_version
This commit is contained in:
Samirbous
2020-12-08 12:42:34 +01:00
committed by GitHub
parent d59b2cb72b
commit 3fda16db71
1 changed files with 34 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/persistence_priv_escalation_via_accessibility_features.toml
+34 -5
View File
@@ -11,17 +11,46 @@ adversary can modify the way these programs are launched to get a command prompt
system.
"""
index = ["winlogbeat-*", "logs-endpoint.events.*"]
language = "kuery"
language = "eql"
license = "Elastic License"
name = "Potential Modification of Accessibility Binaries"
risk_score = 21
references = ["https://www.elastic.co/blog/practical-security-engineering-stateful-detection"]
risk_score = 73
rule_id = "7405ddf1-6c8e-41ce-818f-48bea6bcaed8"
severity = "low"
severity = "high"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"]
type = "query"
type = "eql"
query = '''
event.category:process and event.type:(start or process_started) and process.parent.name:winlogon.exe and not process.name:(atbroker.exe or displayswitch.exe or magnify.exe or narrator.exe or osk.exe or sethc.exe or utilman.exe)
process where event.type in ("start", "process_started", "info") and
process.parent.name : ("Utilman.exe", "winlogon.exe") and user.name == "SYSTEM" and
process.args :
(
"C:\\Windows\\System32\\osk.exe",
"C:\\Windows\\System32\\Magnify.exe",
"C:\\Windows\\System32\\Narrator.exe",
"C:\\Windows\\System32\\Sethc.exe",
"utilman.exe",
"ATBroker.exe",
"DisplaySwitch.exe",
"sethc.exe"
)
and not process.pe.original_file_name in
(
"osk.exe",
"sethc.exe",
"utilman2.exe",
"DisplaySwitch.exe",
"ATBroker.exe",
"ScreenMagnifier.exe",
"SR.exe",
"Narrator.exe",
"magnify.exe",
"MAGNIFY.EXE"
)
/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */
/* and process.code_signature.subject_name == "Microsoft Windows" and process.code_signature.status == "trusted" */
'''