diff --git a/CLI.md b/CLI.md index 3c9cb4958..d2208905e 100644 --- a/CLI.md +++ b/CLI.md @@ -317,3 +317,62 @@ you can define `"debug": true` in your config file, or run `python -m detection- Precedence goes to the flag over the config file, so if debug is enabled in your config and you run `python -m detection-rules --no-debug`, debugging will be disabled. + + +## Using `transform` in rule toml + +A transform is any data that will be incorporated into _existing_ rule fields at build time, from within the +`TOMLRuleContents.to_dict` method. _How_ to process each transform should be defined within the `Transform` class as a +method specific to the transform type. + +### CLI support for investigation guide plugins + +This applies to osquery and insights for the moment but could expand in the future. + +``` +(venv38) ➜ detection-rules-fork git:(2597-validate-osquery-insights) python -m detection_rules dev transforms -h + +█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄ +█ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄ +█▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█ + +Usage: detection_rules dev transforms [OPTIONS] COMMAND [ARGS]... + + Commands for managing TOML [transform]. + +Options: + -h, --help Show this message and exit. + +Commands: + guide-plugin-convert Convert investigation guide plugin format to toml + guide-plugin-to-rule Convert investigation guide plugin format to toml +``` + +`guide-plugin-convert` will print out the formatted toml. + + +``` +(venv38) ➜ detection-rules-fork git:(2597-validate-osquery-insights) python -m detection_rules dev transforms guide-plugin-convert + +█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄ +█ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄ +█▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█ + +Enter plugin contents []: !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\nWHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"label2","ecs_mapping":{"labels":{"field":"description"},"agent.build.original":{"value":"fast"}}}} +[transform] + +[[transform.osquery]] +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\nWHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)" +label = "label2" + +[transform.osquery.ecs_mapping] + +[transform.osquery.ecs_mapping.labels] +field = "description" + +[transform.osquery.ecs_mapping."agent.build.original"] +value = "fast" +``` + +The easiest way to _update_ a rule with existing transform entries is to use `guide-plugin-convert` and manually add it +to the rule. \ No newline at end of file diff --git a/detection_rules/devtools.py b/detection_rules/devtools.py index 432c731c7..c4ad5d352 100644 --- a/detection_rules/devtools.py +++ b/detection_rules/devtools.py @@ -9,6 +9,7 @@ import functools import io import json import os +import re import shutil import subprocess import textwrap @@ -20,6 +21,7 @@ from pathlib import Path from typing import Dict, List, Optional, Tuple import click +import pytoml import requests.exceptions from semver import Version import yaml @@ -44,7 +46,7 @@ from .misc import PYTHON_LICENSE, add_client, client_error from .packaging import (CURRENT_RELEASE_PATH, PACKAGE_FILE, RELEASE_DIR, Package, current_stack_version) from .rule import (AnyRuleData, BaseRuleData, DeprecatedRule, QueryRuleData, - ThreatMapping, TOMLRule) + ThreatMapping, TOMLRule, TOMLRuleContents, RuleTransform) from .rule_loader import RuleCollection, production_filter from .schemas import definitions, get_stack_versions from .utils import (dict_hash, get_etc_path, get_path, load_dump, @@ -1346,3 +1348,65 @@ def update_attack_in_rules() -> List[Optional[TOMLRule]]: else: click.echo('No rule changes needed') return new_rules + + +@dev_group.group('transforms') +def transforms_group(): + """Commands for managing TOML [transform].""" + + +def guide_plugin_convert_(contents: Optional[str] = None, default: Optional[str] = '' + ) -> Optional[Dict[str, Dict[str, list]]]: + """Convert investigation guide plugin format to toml""" + contents = contents or click.prompt('Enter plugin contents', default=default) + if not contents: + return + + parsed = re.match(r'!{(?P\w+)(?P{.+})}', contents.strip()) + try: + plugin = parsed.group('plugin') + data = parsed.group('data') + except AttributeError as e: + raise client_error('Unrecognized pattern', exc=e) + loaded = {'transform': {plugin: [json.loads(data)]}} + click.echo(pytoml.dumps(loaded)) + return loaded + + +@transforms_group.command('guide-plugin-convert') +def guide_plugin_convert(contents: Optional[str] = None, default: Optional[str] = '' + ) -> Optional[Dict[str, Dict[str, list]]]: + """Convert investigation guide plugin format to toml.""" + return guide_plugin_convert_(contents=contents, default=default) + + +@transforms_group.command('guide-plugin-to-rule') +@click.argument('rule-path', type=Path) +@click.pass_context +def guide_plugin_to_rule(ctx: click.Context, rule_path: Path, save: bool = True) -> TOMLRule: + """Convert investigation guide plugin format to toml and save to rule.""" + rc = RuleCollection() + rule = rc.load_file(rule_path) + + transforms = defaultdict(list) + existing_transform = rule.contents.transform + transforms.update(existing_transform.to_dict() if existing_transform is not None else {}) + + click.secho('(blank line to continue)', fg='yellow') + while True: + loaded = ctx.invoke(guide_plugin_convert) + if not loaded: + break + + data = loaded['transform'] + for plugin, entries in data.items(): + transforms[plugin].extend(entries) + + transform = RuleTransform.from_dict(transforms) + new_contents = TOMLRuleContents(data=rule.contents.data, metadata=rule.contents.metadata, transform=transform) + updated_rule = TOMLRule(contents=new_contents, path=rule.path) + + if save: + updated_rule.save_toml() + + return updated_rule diff --git a/detection_rules/rule.py b/detection_rules/rule.py index 913bff417..008467753 100644 --- a/detection_rules/rule.py +++ b/detection_rules/rule.py @@ -33,7 +33,7 @@ from .rule_formatter import nested_normalize, toml_write from .schemas import (SCHEMA_DIR, definitions, downgrade, get_min_supported_stack_version, get_stack_schemas) from .schemas.stack_compat import get_restricted_fields -from .utils import cached +from .utils import cached, PatchedTemplate _META_SCHEMA_REQ_DEFAULTS = {} MIN_FLEET_PACKAGE_VERSION = '7.13.0' @@ -71,6 +71,60 @@ class RuleMeta(MarshmallowDataclassMixin): return stack_versions +@dataclass(frozen=True) +class RuleTransform(MarshmallowDataclassMixin): + """Data stored in a rule's [transform] section of TOML.""" + + # note (investigation guides) Markdown plugins + # /elastic/kibana/tree/main/x-pack/plugins/security_solution/public/common/components/markdown_editor/plugins + ############################################## + + # timelines out of scope at the moment + + @dataclass(frozen=True) + class OsQuery: + label: str + query: str + ecs_mapping: Optional[Dict[str, Dict[Literal['field', 'value'], str]]] + + @dataclass(frozen=True) + class Insight: + @dataclass(frozen=True) + class Provider: + field: str + value: str + type: str + + label: str + providers: List[List[Provider]] + + # these must be lists in order to have more than one. Their index in the list is how they will be referenced in the + # note string templates + osquery: Optional[List[OsQuery]] + insight: Optional[List[Insight]] + + @validates_schema + def validate_transforms(self, value: dict, **kwargs): + """Validate transform fields.""" + # temporarily invalidate insights until schema stabilizes + insight = value.get('insight') + if insight is not None: + raise NotImplementedError('Insights are not stable yet.') + return + + def render_insight_osquery_to_string(self) -> Dict[Literal['osquery', 'insight'], List[str]]: + obj = self.to_dict() + + rendered: Dict[Literal['osquery', 'insight'], List[str]] = {'osquery': [], 'insight': []} + for plugin, entries in obj.items(): + for entry in entries: + rendered[plugin].append(f'!{{{plugin}{json.dumps(entry, sort_keys=True, separators=(",", ":"))}}}') + + return rendered + + ############################################## + + @dataclass(frozen=True) class BaseThreatEntry: id: str @@ -280,6 +334,32 @@ class BaseRuleData(MarshmallowDataclassMixin, StackCompatMixin): return build_fields + @classmethod + def process_transforms(cls, transform: RuleTransform, obj: dict) -> dict: + """Process transforms from toml [transform] called in TOMLRuleContents.to_dict.""" + # only create functions that CAREFULLY mutate the obj dict + + def process_note_plugins(): + """Format the note field with osquery and insight plugin strings.""" + note = obj.get('note') + if not note: + return + + rendered = transform.render_insight_osquery_to_string() + rendered_patterns = {} + for plugin, entries in rendered.items(): + rendered_patterns.update(**{f'{plugin}_{i}': e for i, e in enumerate(entries)}) + + note_template = PatchedTemplate(note) + rendered_note = note_template.substitute(**rendered_patterns) + obj['note'] = rendered_note + + # call transform functions + if transform: + process_note_plugins() + + return obj + class DataValidator: """Additional validation beyond base marshmallow schema validation.""" @@ -759,7 +839,7 @@ class BaseRuleContents(ABC): min_stack = self.convert_supported_version(rule_min_stack) return f"{min_stack.major}.{min_stack.minor}" - def _post_dict_transform(self, obj: dict) -> dict: + def _post_dict_conversion(self, obj: dict) -> dict: """Transform the converted API in place before sending to Kibana.""" # cleanup the whitespace in the rule @@ -772,7 +852,7 @@ class BaseRuleContents(ABC): return obj @abstractmethod - def to_api_format(self, include_version=True) -> dict: + def to_api_format(self, include_version: bool = True) -> dict: """Convert the rule to the API format.""" @cached @@ -786,6 +866,7 @@ class BaseRuleContents(ABC): class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin): """Rule object which maps directly to the TOML layout.""" metadata: RuleMeta + transform: Optional[RuleTransform] data: AnyRuleData = field(metadata=dict(data_key="rule")) @cached_property @@ -835,14 +916,14 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin): def type(self) -> str: return self.data.type - def _post_dict_transform(self, obj: dict) -> dict: + def _post_dict_conversion(self, obj: dict) -> dict: """Transform the converted API in place before sending to Kibana.""" - super()._post_dict_transform(obj) + super()._post_dict_conversion(obj) # build time fields - self._add_related_integrations(obj) - self._add_required_fields(obj) - self._add_setup(obj) + self._convert_add_related_integrations(obj) + self._convert_add_required_fields(obj) + self._convert_add_setup(obj) # validate new fields against the schema rule_type = obj['type'] @@ -854,7 +935,7 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin): return obj - def _add_related_integrations(self, obj: dict) -> None: + def _convert_add_related_integrations(self, obj: dict) -> None: """Add restricted field related_integrations to the obj.""" field_name = "related_integrations" package_integrations = obj.get(field_name, []) @@ -886,7 +967,7 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin): obj.setdefault("related_integrations", package_integrations) - def _add_required_fields(self, obj: dict) -> None: + def _convert_add_required_fields(self, obj: dict) -> None: """Add restricted field required_fields to the obj, derived from the query AST.""" if isinstance(self.data, QueryRuleData) and self.data.language != 'lucene': index = obj.get('index') or [] @@ -898,7 +979,7 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin): if required_fields and self.check_restricted_field_version(field_name=field_name): obj.setdefault(field_name, required_fields) - def _add_setup(self, obj: dict) -> None: + def _convert_add_setup(self, obj: dict) -> None: """Add restricted field setup to the obj.""" rule_note = obj.get("note", "") field_name = "setup" @@ -915,7 +996,7 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin): # parse note tree for i, child in enumerate(parsed_note.children): if child.get_type() == "Heading" and "Setup" in gfm.render(child): - field_value = self._get_setup_content(parsed_note.children[i + 1:]) + field_value = self._convert_get_setup_content(parsed_note.children[i + 1:]) # clean up old note field investigation_guide = rule_note.replace("## Setup\n\n", "") @@ -925,7 +1006,7 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin): break @cached - def _get_setup_content(self, note_tree: list) -> str: + def _convert_get_setup_content(self, note_tree: list) -> str: """Get note paragraph starting from the setup header.""" setup = [] for child in note_tree: @@ -934,17 +1015,17 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin): elif child.get_type() == "CodeSpan": setup.append(f"`{gfm.renderer.render_raw_text(child)}`") elif child.get_type() == "Paragraph": - setup.append(self._get_setup_content(child.children)) + setup.append(self._convert_get_setup_content(child.children)) setup.append("\n") elif child.get_type() == "FencedCode": - setup.append(f"```\n{self._get_setup_content(child.children)}\n```") + setup.append(f"```\n{self._convert_get_setup_content(child.children)}\n```") setup.append("\n") elif child.get_type() == "RawText": setup.append(child.children) elif child.get_type() == "Heading" and child.level >= 2: break else: - setup.append(self._get_setup_content(child.children)) + setup.append(self._convert_get_setup_content(child.children)) return "".join(setup).strip() @@ -999,7 +1080,7 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin): return packaged_integrations @validates_schema - def post_validation(self, value: dict, **kwargs): + def post_conversion_validation(self, value: dict, **kwargs): """Additional validations beyond base marshmallow schemas.""" data: AnyRuleData = value["data"] metadata: RuleMeta = value["metadata"] @@ -1013,6 +1094,7 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin): # result from union fields which contain classes and related subclasses (AnyRuleData). See issue #1141 metadata = self.metadata.to_dict(strip_none_values=strip_none_values) data = self.data.to_dict(strip_none_values=strip_none_values) + self.data.process_transforms(self.transform, data) dict_obj = dict(metadata=metadata, rule=data) return nested_normalize(dict_obj) @@ -1025,7 +1107,7 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin): def to_api_format(self, include_version=True) -> dict: """Convert the TOML rule to the API format.""" converted = self.data.to_dict() - converted = self._post_dict_transform(converted) + converted = self._post_dict_conversion(converted) if include_version: converted["version"] = self.autobumped_version @@ -1071,7 +1153,9 @@ class TOMLRule: def save_toml(self): assert self.path is not None, f"Can't save rule {self.name} (self.id) without a path" - converted = self.contents.to_dict() + converted = dict(metadata=self.contents.metadata.to_dict(), rule=self.contents.data.to_dict()) + if self.contents.transform: + converted['transform'] = self.contents.transform.to_dict() toml_write(converted, str(self.path.absolute())) def save_json(self, path: Path, include_version: bool = True): @@ -1085,6 +1169,7 @@ class TOMLRule: class DeprecatedRuleContents(BaseRuleContents): metadata: dict data: dict + transform: Optional[dict] @cached_property def version_lock(self): @@ -1116,15 +1201,22 @@ class DeprecatedRuleContents(BaseRuleContents): @classmethod def from_dict(cls, obj: dict): - return cls(metadata=obj['metadata'], data=obj['rule']) + kwargs = dict(metadata=obj['metadata'], data=obj['rule']) + kwargs['transform'] = obj['transform'] if 'transform' in obj else None + return cls(**kwargs) def to_api_format(self, include_version=True) -> dict: """Convert the TOML rule to the API format.""" - converted = copy.deepcopy(self.data) + data = copy.deepcopy(self.data) + if self.transform: + transform = RuleTransform.from_dict(self.transform) + BaseRuleData.process_transforms(transform, data) + + converted = data if include_version: converted["version"] = self.autobumped_version - converted = self._post_dict_transform(converted) + converted = self._post_dict_conversion(converted) return converted diff --git a/detection_rules/rule_formatter.py b/detection_rules/rule_formatter.py index 53f53c209..5d8516768 100644 --- a/detection_rules/rule_formatter.py +++ b/detection_rules/rule_formatter.py @@ -217,8 +217,10 @@ def toml_write(rule_contents, outfile=None): needs_close = True outfile = open(outfile, 'w') - for data in ('metadata', 'rule'): + for data in ('metadata', 'transform', 'rule'): _contents = contents.get(data, {}) + if not _contents: + continue order_rule(_contents) _do_write(data, _contents) diff --git a/detection_rules/utils.py b/detection_rules/utils.py index a09290abb..749d4ad2a 100644 --- a/detection_rules/utils.py +++ b/detection_rules/utils.py @@ -22,6 +22,7 @@ from dataclasses import is_dataclass, astuple from datetime import datetime, date from pathlib import Path from typing import Dict, Union, Optional, Callable +from string import Template import click import pytoml @@ -387,3 +388,24 @@ class Ndjson(list): def load(cls, filename: Path, **kwargs): """Load content from an ndjson file.""" return cls.from_string(filename.read_text(), **kwargs) + + +class PatchedTemplate(Template): + """String template with updated methods from future versions.""" + + def get_identifiers(self): + """Returns a list of the valid identifiers in the template, in the order they first appear, ignoring any + invalid identifiers.""" + # https://github.com/python/cpython/blob/3b4f8fc83dcea1a9d0bc5bd33592e5a3da41fa71/Lib/string.py#LL157-L171C19 + ids = [] + for mo in self.pattern.finditer(self.template): + named = mo.group('named') or mo.group('braced') + if named is not None and named not in ids: + # add a named group only the first time it appears + ids.append(named) + elif named is None and mo.group('invalid') is None and mo.group('escaped') is None: + # If all the groups are None, there must be + # another group we're not expecting + raise ValueError('Unrecognized named group in pattern', + self.pattern) + return ids diff --git a/rules/ml/persistence_ml_rare_process_by_host_windows.toml b/rules/ml/persistence_ml_rare_process_by_host_windows.toml index fc975bafc..9f82526f9 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_windows.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_windows.toml @@ -5,6 +5,23 @@ updated_date = "2023/03/06" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +[transform] + [[transform.osquery]] + label = "Osquery - Retrieve DNS Cache" + query = "SELECT * FROM dns_cache" + + [[transform.osquery]] + label = "Osquery - Retrieve All Services" + query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + + [[transform.osquery]] + label = "Osquery - Retrieve Services Running on User Accounts" + query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)" + + [[transform.osquery]] + label = "Retrieve Service Unisgned Executables with Virustotal Link" + query = "SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'" + [rule] anomaly_threshold = 50 author = ["Elastic"] @@ -51,12 +68,12 @@ This rule uses a machine learning job to detect a Windows process that is rare a - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Retrieve Service Unisgned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. ### False Positive Analysis diff --git a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml index 04b513f85..aca7f3feb 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml @@ -5,6 +5,32 @@ updated_date = "2023/03/06" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSyste' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Retrieve Service Unisgned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + + [rule] anomaly_threshold = 50 author = ["Elastic"] @@ -51,12 +77,12 @@ This rule uses a machine learning job to detect a Windows process that is rare a - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Retrieve Service Unisgned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. ### False Positive Analysis @@ -91,7 +117,6 @@ rule_id = "6e40d56f-5c0e-4ac6-aece-bee96645b172" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Persistence", "Execution"] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -110,13 +135,12 @@ framework = "MITRE ATT&CK" id = "T1204" name = "User Execution" reference = "https://attack.mitre.org/techniques/T1204/" +[[rule.threat.technique.subtechnique]] +id = "T1204.002" +name = "Malicious File" +reference = "https://attack.mitre.org/techniques/T1204/002/" - [[rule.threat.technique.subtechnique]] - id = "T1204.002" - name = "Malicious File" - reference = "https://attack.mitre.org/techniques/T1204/002/" - [rule.threat.tactic] id = "TA0002" diff --git a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml index d62d63581..aea5bace6 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml @@ -5,6 +5,32 @@ updated_date = "2023/03/06" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Retrieve Service Unisgned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + + [rule] anomaly_threshold = 50 author = ["Elastic"] @@ -54,12 +80,12 @@ This rule uses a machine learning job to detect an anomalous Windows process wit - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Retrieve Service Unisgned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. ### False Positive Analysis @@ -94,7 +120,6 @@ rule_id = "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5" severity = "low" tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Persistence"] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -106,4 +131,5 @@ reference = "https://attack.mitre.org/techniques/T1543/" [rule.threat.tactic] id = "TA0003" name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/command_and_control_certutil_network_connection.toml b/rules/windows/command_and_control_certutil_network_connection.toml index 68c7719f9..790282eb4 100644 --- a/rules/windows/command_and_control_certutil_network_connection.toml +++ b/rules/windows/command_and_control_certutil_network_connection.toml @@ -2,9 +2,35 @@ creation_date = "2020/03/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2023/02/27" + +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] @@ -40,12 +66,12 @@ This rule looks for network events where `certutil.exe` contacts IP ranges other - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. @@ -103,3 +129,4 @@ reference = "https://attack.mitre.org/techniques/T1105/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index 538a0e037..27394e228 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -2,9 +2,35 @@ creation_date = "2020/11/04" integration = ["endpoint"] maturity = "production" -updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2023/02/27" + +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] @@ -42,12 +68,12 @@ This rule looks for processes outside known legitimate program locations communi - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. @@ -166,3 +192,4 @@ reference = "https://attack.mitre.org/techniques/T1567/002/" id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index f97c5d38e..a666a9fed 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -6,6 +6,32 @@ updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + + [rule] author = ["Elastic"] description = """ @@ -42,12 +68,12 @@ The `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop i - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index 92f392bbe..23c0b56f4 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -6,6 +6,32 @@ updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + + [rule] author = ["Elastic"] description = "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file." @@ -38,12 +64,12 @@ The `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used t - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/command_and_control_remote_file_copy_powershell.toml b/rules/windows/command_and_control_remote_file_copy_powershell.toml index 9aa6a93bd..7ad48cfe7 100644 --- a/rules/windows/command_and_control_remote_file_copy_powershell.toml +++ b/rules/windows/command_and_control_remote_file_copy_powershell.toml @@ -6,6 +6,32 @@ updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + + [rule] author = ["Elastic"] description = "Identifies powershell.exe being used to download an executable file from an untrusted remote destination." @@ -38,12 +64,12 @@ PowerShell is one of system administrators' main tools for automation, report ro - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/command_and_control_remote_file_copy_scripts.toml b/rules/windows/command_and_control_remote_file_copy_scripts.toml index 7618f6ed3..7cea42d0c 100644 --- a/rules/windows/command_and_control_remote_file_copy_scripts.toml +++ b/rules/windows/command_and_control_remote_file_copy_scripts.toml @@ -6,6 +6,32 @@ updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + + [rule] author = ["Elastic"] description = """ @@ -39,12 +65,12 @@ This rule looks for DLLs and executables downloaded using `cscript.exe` or `wscr - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml index 0a61052e0..e13d0867c 100644 --- a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml +++ b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml @@ -2,9 +2,35 @@ creation_date = "2020/12/14" integration = ["endpoint"] maturity = "production" -updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2023/02/27" + +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] @@ -39,12 +65,12 @@ This rule identifies suspicious network connections that attempt to blend in wit - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index 558c5f5f0..a6e1c8ed9 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -6,6 +6,32 @@ updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + + [rule] author = ["Elastic"] description = "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session." @@ -37,12 +63,12 @@ TeamViewer is a remote access and remote control tool used by helpdesks and syst - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/credential_access_bruteforce_admin_account.toml b/rules/windows/credential_access_bruteforce_admin_account.toml index d3fa2abc9..f3d12ab9d 100644 --- a/rules/windows/credential_access_bruteforce_admin_account.toml +++ b/rules/windows/credential_access_bruteforce_admin_account.toml @@ -6,6 +6,32 @@ min_stack_comments = "New fields added: required_fields, related_integrations, s min_stack_version = "8.3.0" updated_date = "2023/03/02" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + + [rule] author = ["Elastic"] description = """ @@ -43,11 +69,11 @@ This rule identifies potential password guessing/brute force activity from a sin - Observe and collect information about the following activities in the alert source host: - Attempts to contact external domains and addresses. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity. ### False positive analysis diff --git a/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml b/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml index 62e4d75a4..98c312abf 100644 --- a/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml +++ b/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml @@ -4,7 +4,33 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/02" +updated_date = "2023/03/07" + +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] @@ -43,11 +69,11 @@ This rule identifies potential password guessing/brute force activity from a sin - Observe and collect information about the following activities in the alert source host: - Attempts to contact external domains and addresses. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity. ### False positive analysis diff --git a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml index fa5c8bf4d..e686dbac6 100644 --- a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml +++ b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml @@ -4,7 +4,33 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/02" +updated_date = "2023/03/07" + +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] @@ -43,11 +69,11 @@ This rule identifies potential password guessing/brute force activity from a sin - Observe and collect information about the following activities in the alert source host: - Attempts to contact external domains and addresses. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity ### False positive analysis diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml index 05b86d3db..65a7bc901 100644 --- a/rules/windows/credential_access_credential_dumping_msbuild.toml +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -6,6 +6,32 @@ updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + + [rule] author = ["Elastic"] description = """ @@ -43,12 +69,12 @@ This rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/credential_access_kerberoasting_unusual_process.toml b/rules/windows/credential_access_kerberoasting_unusual_process.toml index d3aa578c5..fe9239f38 100644 --- a/rules/windows/credential_access_kerberoasting_unusual_process.toml +++ b/rules/windows/credential_access_kerberoasting_unusual_process.toml @@ -6,6 +6,32 @@ updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + + [rule] author = ["Elastic"] description = """ @@ -45,12 +71,12 @@ Domain-joined hosts usually perform Kerberos traffic using the `lsass.exe` proce - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/credential_access_lsass_memdump_file_created.toml b/rules/windows/credential_access_lsass_memdump_file_created.toml index 9a68b25ac..720ebf4fa 100644 --- a/rules/windows/credential_access_lsass_memdump_file_created.toml +++ b/rules/windows/credential_access_lsass_memdump_file_created.toml @@ -4,7 +4,33 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/02/27" + +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] @@ -41,12 +67,12 @@ This rule looks for the creation of memory dump files with file names compatible - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. @@ -77,7 +103,15 @@ references = ["https://github.com/outflanknl/Dumpert", "https://github.com/hoang risk_score = 73 rule_id = "f2f46686-6f3c-4724-bd7d-24e31c70f98f" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Elastic Endgame", "Investigation Guide"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Elastic Endgame", + "Investigation Guide", +] timeline_id = "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c" timeline_title = "Comprehensive File Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/credential_access_lsass_memdump_handle_access.toml b/rules/windows/credential_access_lsass_memdump_handle_access.toml index e19319703..91bcc335d 100644 --- a/rules/windows/credential_access_lsass_memdump_handle_access.toml +++ b/rules/windows/credential_access_lsass_memdump_handle_access.toml @@ -2,9 +2,35 @@ creation_date = "2022/02/16" integration = ["system", "windows"] maturity = "production" -updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2023/02/27" + +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] @@ -40,12 +66,12 @@ Adversaries may attempt to access credential material stored in LSASS process me - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/credential_access_wireless_creds_dumping.toml b/rules/windows/credential_access_wireless_creds_dumping.toml index bb59fca1a..4b1455c44 100644 --- a/rules/windows/credential_access_wireless_creds_dumping.toml +++ b/rules/windows/credential_access_wireless_creds_dumping.toml @@ -4,7 +4,33 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/02/27" + +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] @@ -34,12 +60,12 @@ This rule looks for patterns used to dump credentials from wireless network prof - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 ### False positive analysis @@ -62,7 +88,16 @@ references = [ risk_score = 73 rule_id = "2de87d72-ee0c-43e2-b975-5f0b029ac600" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Discovery", "Elastic Endgame", "Investigation Guide"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Credential Access", + "Discovery", + "Elastic Endgame", + "Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml index a99d2c3a9..1b81ed096 100644 --- a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml +++ b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml @@ -4,12 +4,38 @@ integration = ["windows", "endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/02/27" + +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] description = """ -Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an +Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one. """ from = "now-9m" @@ -40,12 +66,12 @@ Attackers might copy a rogue AMSI DLL to an unusual location to prevent the proc - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 ### False positive analysis @@ -69,7 +95,15 @@ references = ["https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell"] risk_score = 73 rule_id = "fa488440-04cc-41d7-9279-539387bf2a17" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame", "Investigation Guide"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame", + "Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" @@ -90,6 +124,7 @@ id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" @@ -99,7 +134,10 @@ id = "T1574.001" name = "DLL Search Order Hijacking" reference = "https://attack.mitre.org/techniques/T1574/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_amsi_bypass_powershell.toml b/rules/windows/defense_evasion_amsi_bypass_powershell.toml index 8128e0bd9..764a738af 100644 --- a/rules/windows/defense_evasion_amsi_bypass_powershell.toml +++ b/rules/windows/defense_evasion_amsi_bypass_powershell.toml @@ -6,11 +6,38 @@ min_stack_comments = "New fields added: required_fields, related_integrations, s min_stack_version = "8.3.0" updated_date = "2023/03/24" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + + [rule] author = ["Elastic"] description = """ -Identifies the execution of PowerShell script with keywords related to different Antimalware Scan Interface (AMSI) bypasses. -An adversary may attempt first to disable AMSI before executing further malicious powershell scripts to evade detection. +Identifies the execution of PowerShell script with keywords related to different Antimalware Scan Interface (AMSI) +bypasses. An adversary may attempt first to disable AMSI before executing further malicious powershell scripts to evade +detection. """ from = "now-9m" index = ["winlogbeat-*", "logs-windows.*"] @@ -42,12 +69,12 @@ This rule identifies scripts that contain methods and classes that can be abused - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 ### False positive analysis @@ -78,8 +105,8 @@ type = "query" query = ''' event.category:"process" and host.os.type:windows and - (powershell.file.script_block_text : - ("System.Management.Automation.AmsiUtils" or + (powershell.file.script_block_text : + ("System.Management.Automation.AmsiUtils" or amsiInitFailed or "Invoke-AmsiBypass" or "Bypass.AMSI" or @@ -87,13 +114,13 @@ event.category:"process" and host.os.type:windows and AntimalwareProvider or amsiSession or amsiContext or - "System.Management.Automation.ScriptBlock" or + "System.Management.Automation.ScriptBlock" or AmsiInitialize or unloadobfuscated or unloadsilent or AmsiX64 or AmsiX32 or - FindAmsiFun) or + FindAmsiFun) or powershell.file.script_block_text:("[System.Runtime.InteropServices.Marshal]::Copy" and "VirtualProtect") or powershell.file.script_block_text:("[Ref].Assembly.GetType(('System.Management.Automation" and ".SetValue(") ) @@ -112,11 +139,11 @@ name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -134,3 +161,4 @@ reference = "https://attack.mitre.org/techniques/T1059/001/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index ee1cf4892..f0b899ee7 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -4,7 +4,33 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/02" +updated_date = "2023/03/07" + +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] @@ -42,12 +68,12 @@ This rule checks for renamed instances of MSBuild, which can indicate an attempt - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. ### False positive analysis @@ -75,7 +101,15 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame", "Investigation Guide"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame", + "Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index e68d9ee7f..31e47193c 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -4,7 +4,33 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/02" +updated_date = "2023/03/07" + +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] @@ -41,12 +67,12 @@ This rule checks for renamed instances of AutoIt, which can indicate an attempt - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. ### False positive analysis @@ -74,7 +100,15 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "2e1e835d-01e5-48ca-b9fc-7a61f7f11902" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame", "Investigation Guide"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame", + "Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_masquerading_werfault.toml b/rules/windows/defense_evasion_masquerading_werfault.toml index eaab7d9d2..3e1045ff7 100644 --- a/rules/windows/defense_evasion_masquerading_werfault.toml +++ b/rules/windows/defense_evasion_masquerading_werfault.toml @@ -4,7 +4,33 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/02" +updated_date = "2023/03/07" + +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] @@ -41,12 +67,12 @@ This rule identifies a potential malicious process masquerading as `wermgr.exe` - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index c6ef8d38f..2506e9f9f 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -4,7 +4,33 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/02/27" + +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] @@ -39,12 +65,12 @@ This rule identifies network connections established by trusted developer utilit - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. ### False positive analysis diff --git a/rules/windows/defense_evasion_posh_assembly_load.toml b/rules/windows/defense_evasion_posh_assembly_load.toml index dc37bd7ad..baf74b0ac 100644 --- a/rules/windows/defense_evasion_posh_assembly_load.toml +++ b/rules/windows/defense_evasion_posh_assembly_load.toml @@ -6,6 +6,32 @@ updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + + [rule] author = ["Elastic"] description = """ @@ -41,12 +67,12 @@ Attackers can use .NET reflection to load PEs and DLLs in memory. These payloads - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/defense_evasion_posh_compressed.toml b/rules/windows/defense_evasion_posh_compressed.toml index d0b96d343..78c92d01f 100644 --- a/rules/windows/defense_evasion_posh_compressed.toml +++ b/rules/windows/defense_evasion_posh_compressed.toml @@ -2,9 +2,35 @@ creation_date = "2021/10/19" integration = ["windows"] maturity = "production" -updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2023/02/27" + +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] @@ -42,12 +68,12 @@ Attackers can embed compressed and encoded payloads in scripts to load directly - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml index e4076050f..aa9318180 100644 --- a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml +++ b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml @@ -6,6 +6,32 @@ updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + + [rule] author = ["Elastic"] description = """ @@ -42,12 +68,12 @@ This rule identifies suspicious process access events from an unknown memory reg - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index 6769d6a78..2af0266b9 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -2,9 +2,35 @@ creation_date = "2020/08/19" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2023/02/27" + +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] @@ -39,12 +65,12 @@ This rule looks for the creation of executable files done by system-critical pro - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml index 81455185f..ed277b28b 100644 --- a/rules/windows/defense_evasion_unusual_ads_file_creation.toml +++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml @@ -2,9 +2,35 @@ creation_date = "2021/01/21" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2023/02/27" + +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] @@ -44,12 +70,12 @@ Attackers can abuse these alternate data streams to hide malicious files, string - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml index c8bde3608..f0e14e46e 100644 --- a/rules/windows/discovery_privileged_localgroup_membership.toml +++ b/rules/windows/discovery_privileged_localgroup_membership.toml @@ -2,9 +2,35 @@ creation_date = "2020/10/15" integration = ["system", "windows"] maturity = "production" -updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2023/02/27" + +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] @@ -40,12 +66,12 @@ This rule looks for the enumeration of privileged local groups' membership by su - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index 5f15f904b..b7a037367 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -2,9 +2,35 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2023/02/27" + +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] @@ -36,12 +62,12 @@ This rule looks for the creation of the `cmd.exe` process with `svchost.exe` as - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index 22d9fe16e..df5e563a5 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -2,9 +2,35 @@ creation_date = "2020/10/30" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2023/02/27" + +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] @@ -37,12 +63,12 @@ This rule looks for the execution of scripts from unusual directories. Attackers - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/execution_posh_portable_executable.toml b/rules/windows/execution_posh_portable_executable.toml index 27b88113b..a721fdb32 100644 --- a/rules/windows/execution_posh_portable_executable.toml +++ b/rules/windows/execution_posh_portable_executable.toml @@ -2,9 +2,35 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2023/02/27" + +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] @@ -40,12 +66,12 @@ Attackers can abuse PowerShell in-memory capabilities to inject executables into - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/execution_posh_psreflect.toml b/rules/windows/execution_posh_psreflect.toml index 68e559f51..808216b38 100644 --- a/rules/windows/execution_posh_psreflect.toml +++ b/rules/windows/execution_posh_psreflect.toml @@ -2,9 +2,35 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2023/02/27" + +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] @@ -46,12 +72,12 @@ Detecting the core implementation of PSReflect means detecting most of the tooli - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index aee5002a3..1e7016d53 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -4,7 +4,33 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/02" +updated_date = "2023/03/07" + +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] @@ -49,12 +75,12 @@ When users double-click CHM files, the HTML Help executable program (`hh.exe`) w - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml index 7d9a1b33b..f1d979190 100644 --- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -2,9 +2,35 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2023/02/27" + +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] @@ -40,12 +66,12 @@ This rule looks for unexpected processes making network connections over port 44 - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index 030f4355b..c522f7f6b 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -6,6 +6,32 @@ updated_date = "2023/03/06" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + + [rule] author = ["Elastic"] description = """ @@ -37,12 +63,12 @@ Adversaries can use network shares to host tooling to support the compromise of - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index 9558e5f1d..3df52c526 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -6,6 +6,32 @@ updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + + [rule] author = ["Elastic"] description = """ @@ -42,12 +68,12 @@ This rule detects the remote creation or start of a service by correlating a `se - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index d887521bd..aee993eed 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -6,6 +6,32 @@ updated_date = "2023/03/06" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + + [rule] author = ["Elastic"] description = "Detects writing executable files that will be automatically launched by Adobe on launch." @@ -35,12 +61,12 @@ Attackers can replace the `RdrCEF.exe` executable with their own to maintain the - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/persistence_appinitdlls_registry.toml b/rules/windows/persistence_appinitdlls_registry.toml index d90a308fc..bd15a993f 100644 --- a/rules/windows/persistence_appinitdlls_registry.toml +++ b/rules/windows/persistence_appinitdlls_registry.toml @@ -4,12 +4,50 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/03/07" + +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve AppInit Registry Value" +query = """ +SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows' or +r.key == 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows') and r.name == +'AppInit_DLLs' +""" + +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] description = """ -AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads user32.dll) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications. Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine. +AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads +user32.dll) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode +processes, allowing for the customization of the user interface and the behavior of Windows-based applications. +Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process +injection, and provide a solid and constant persistence on the machine. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] @@ -36,19 +74,19 @@ This rule identifies modifications on the AppInit registry keys. - Check whether the DLL is signed, and tied to a authorized program used on your environment. - Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. - Retrieve all DLLs under the AppInit registry keys: - - !{osquery{"query":"SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows' or r.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows') and r.name == 'AppInit_DLLs'","label":"Osquery - Retrieve AppInit Registry Value"}} + - $osquery_0 - Examine the host for derived artifacts that indicate suspicious activities: - Analyze the process executable and the DLLs using a private sandboxed analysis system. - Observe and collect information about the following activities in both the sandbox and the alert subject host: - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_1 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_2 + - $osquery_3 + - $osquery_4 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. ### False positive analysis diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml index f09e45e91..3da9654a1 100644 --- a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml +++ b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml @@ -6,6 +6,32 @@ updated_date = "2023/03/06" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + + [rule] author = ["Elastic"] description = """ @@ -38,12 +64,12 @@ Techniques used within malware and by adversaries often leverage the Windows reg - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index ac32b9eff..258644f0c 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -6,6 +6,32 @@ updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + + [rule] author = ["Elastic"] description = """ @@ -44,12 +70,12 @@ This rule looks for the execution of supposed accessibility binaries that don't - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/persistence_run_key_and_startup_broad.toml b/rules/windows/persistence_run_key_and_startup_broad.toml index 2187a1b14..39578c31d 100644 --- a/rules/windows/persistence_run_key_and_startup_broad.toml +++ b/rules/windows/persistence_run_key_and_startup_broad.toml @@ -2,9 +2,35 @@ creation_date = "2020/11/18" integration = ["endpoint"] maturity = "production" -updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2023/02/27" + +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] @@ -38,12 +64,12 @@ Adversaries may achieve persistence by referencing a program with a registry run - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml index ae3060dc2..56a07c77a 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml @@ -6,6 +6,32 @@ updated_date = "2023/03/06" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + + [rule] author = ["Elastic"] description = """ @@ -40,12 +66,12 @@ This rule monitors for commonly abused processes writing to the Startup folder l - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml index d9702827d..a9ccbc9c2 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml @@ -6,6 +6,32 @@ updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + + [rule] author = ["Elastic"] description = """ @@ -40,12 +66,12 @@ This rule looks for unsigned processes writing to the Startup folder locations. - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index 000ca0a37..d4db24bbe 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -6,6 +6,32 @@ updated_date = "2023/03/06" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + + [rule] author = ["Elastic"] description = """ @@ -40,12 +66,12 @@ This rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs s - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index e7f679fb9..921ad8732 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -6,6 +6,32 @@ updated_date = "2023/03/06" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + + [rule] author = ["Elastic"] description = """ @@ -40,12 +66,12 @@ This rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/privilege_escalation_installertakeover.toml b/rules/windows/privilege_escalation_installertakeover.toml index bdd6f3cd6..9f89f8d45 100644 --- a/rules/windows/privilege_escalation_installertakeover.toml +++ b/rules/windows/privilege_escalation_installertakeover.toml @@ -2,9 +2,35 @@ creation_date = "2021/11/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/02/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2023/02/27" + +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] @@ -40,12 +66,12 @@ This rule detects the default execution of the PoC, which overwrites the `elevat - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/privilege_escalation_named_pipe_impersonation.toml b/rules/windows/privilege_escalation_named_pipe_impersonation.toml index d70a1ec2d..3dad88a1e 100644 --- a/rules/windows/privilege_escalation_named_pipe_impersonation.toml +++ b/rules/windows/privilege_escalation_named_pipe_impersonation.toml @@ -4,7 +4,33 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/03/07" + +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + [rule] author = ["Elastic"] @@ -40,12 +66,12 @@ Attackers can abuse named pipes to elevate their privileges by impersonating the - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. ### False positive analysis @@ -79,7 +105,15 @@ references = [ risk_score = 73 rule_id = "3ecbdc9e-e4f2-43fa-8cca-63802125e582" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Investigation Guide", "Elastic Endgame"] +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Privilege Escalation", + "Investigation Guide", + "Elastic Endgame", +] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml index 0efb30bd6..3f78724ba 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml @@ -6,6 +6,32 @@ updated_date = "2023/03/06" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + + [rule] author = ["Elastic"] description = """ @@ -40,12 +66,12 @@ The Print Spooler service has some known vulnerabilities that attackers can abus - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index e5bcd12c0..fe91f59da 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -6,6 +6,32 @@ updated_date = "2023/03/06" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + + [rule] author = ["Elastic"] description = """ @@ -42,12 +68,12 @@ During startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\ - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index fa939ebcc..2b2c50b98 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -6,6 +6,32 @@ updated_date = "2023/03/06" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + + [rule] author = ["Elastic"] description = """ @@ -42,12 +68,12 @@ This rule identifies an attempt to bypass User Account Control (UAC) by masquera - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index 21e72f3bb..c01efb61c 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -6,6 +6,32 @@ updated_date = "2023/03/06" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + + [rule] author = ["Elastic"] description = """ @@ -42,12 +68,12 @@ This rule identifies attempts to bypass User Account Control (UAC) by hijacking - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index 94d384159..b1ef35423 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -6,6 +6,32 @@ updated_date = "2023/03/06" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve DNS Cache" +query = "SELECT * FROM dns_cache" + +[[transform.osquery]] +label = "Osquery - Retrieve All Services" +query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + +[[transform.osquery]] +label = "Osquery - Retrieve Services Running on User Accounts" +query = """ +SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE +NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR +user_account == null) +""" + +[[transform.osquery]] +label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link" +query = """ +SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, +services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = +authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted' +""" + + [rule] author = ["Elastic"] description = """ @@ -39,12 +65,12 @@ This rule uses this information to spot suspicious parent and child processes. - Attempts to contact external domains and addresses. - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. - Examine the DNS cache for suspicious or anomalous entries. - - !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}} + - $osquery_0 - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. - Examine the host services for suspicious or anomalous entries. - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}} - - !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}} - - !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}} + - $osquery_1 + - $osquery_2 + - $osquery_3 - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index 4de7e568b..b6cfb391a 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -24,7 +24,7 @@ from detection_rules.rule import (QueryRuleData, TOMLRuleContents, load_integrations_manifests, QueryValidator) from detection_rules.rule_loader import FILE_PATTERN from detection_rules.schemas import definitions, get_stack_schemas -from detection_rules.utils import INTEGRATION_RULE_DIR, get_path, load_etc_dump +from detection_rules.utils import INTEGRATION_RULE_DIR, get_path, load_etc_dump, PatchedTemplate from detection_rules.version_lock import default_version_lock from rta import get_available_tests @@ -803,22 +803,6 @@ class TestRiskScoreMismatch(BaseRuleTest): self.fail(err_msg) -class TestOsqueryPluginNote(BaseRuleTest): - """Test if a guide containing Osquery Plugin syntax contains the version note.""" - - def test_note_guide(self): - osquery_note = '> **Note**:\n' - osquery_note_pattern = osquery_note + '> This investigation guide uses the [Osquery Markdown Plugin]' \ - '(https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic ' \ - 'Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.' - - for rule in self.all_rules: - if rule.contents.data.note and "!{osquery" in rule.contents.data.note: - if osquery_note_pattern not in rule.contents.data.note: - self.fail(f'{self.rule_str(rule)} Investigation guides using the Osquery Markdown must contain ' - f'the following note:\n{osquery_note_pattern}') - - class TestEndpointQuery(BaseRuleTest): """Test endpoint-specific rules.""" @@ -845,6 +829,67 @@ class TestEndpointQuery(BaseRuleTest): # self.assertIn('host.os.platform', fields, err_msg) +class TestNoteMarkdownPlugins(BaseRuleTest): + """Test if a guide containing Osquery Plugin syntax contains the version note.""" + + def test_note_has_osquery_warning(self): + """Test that all rules with osquery entries have the default notification of stack compatibility.""" + osquery_note_pattern = ('> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin]' + '(https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) ' + 'introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display ' + 'unrendered Markdown in this guide.') + + for rule in self.production_rules.rules: + if not rule.contents.get('transform'): + continue + osquery = rule.contents.transform.get('osquery') + if osquery and osquery_note_pattern not in rule.contents.data.note: + self.fail(f'{self.rule_str(rule)} Investigation guides using the Osquery Markdown must contain ' + f'the following note:\n{osquery_note_pattern}') + + def test_plugin_placeholders_match_entries(self): + """Test that the number of plugin entries match their respective placeholders in note.""" + for rule in self.production_rules.rules: + has_transform = rule.contents.get('transform') is not None + has_note = rule.contents.data.get('note') is not None + + if has_transform and not has_note: + self.fail(f'{self.rule_str(rule)} transformed defined with no note') + elif not has_transform: + continue + + transform = rule.contents.transform + transform_counts = {plugin: len(entries) for plugin, entries in transform.to_dict().items()} + note = rule.contents.data.note + self.assertIsNotNone(note) + note_template = PatchedTemplate(note) + + note_counts = defaultdict(int) + for identifier in note_template.get_identifiers(): + # "$" is used for other things, so this verifies the pattern of a trailing "_" followed by ints + if '_' not in identifier: + continue + dash_index = identifier.rindex('_') + if dash_index == len(identifier) or not identifier[dash_index + 1:].isdigit(): + continue + + plugin, _ = identifier.split('_') + if plugin in transform_counts: + note_counts[plugin] += 1 + + err_msg = f'{self.rule_str(rule)} plugin entry count mismatch between transform and note' + self.assertDictEqual(transform_counts, note_counts, err_msg) + + def test_if_plugins_explicitly_defined(self): + """Check if plugins are explicitly defined with the pattern in note vs using transform.""" + for rule in self.production_rules.rules: + note = rule.contents.data.get('note') + if note is not None: + results = re.search(r'(!{osquery|!{insight)', note, re.I | re.M) + err_msg = f'{self.rule_str(rule)} investigation guide plugin pattern detected! Use Transform' + self.assertIsNone(results, err_msg) + + class TestAlertSuppression(BaseRuleTest): """Test rule alert suppression.""" diff --git a/tests/test_transform_fields.py b/tests/test_transform_fields.py new file mode 100644 index 000000000..8fe56484b --- /dev/null +++ b/tests/test_transform_fields.py @@ -0,0 +1,114 @@ +# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +# or more contributor license agreements. Licensed under the Elastic License +# 2.0; you may not use this file except in compliance with the Elastic License +# 2.0. + +"""Test fields in TOML [transform].""" +import copy +import unittest +from pathlib import Path +from textwrap import dedent + +import pytoml + +from detection_rules.devtools import guide_plugin_convert_ +from detection_rules.rule import TOMLRule, TOMLRuleContents +from detection_rules.rule_loader import RuleCollection + +RULES_DIR = Path(__file__).parent.parent / 'rules' + + +class TestGuideMarkdownPlugins(unittest.TestCase): + """Test the Markdown plugin features within the investigation guide.""" + + @classmethod + def setUpClass(cls) -> None: + cls.osquery_patterns = [ + """!{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}}""", + """!{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}}""", # noqa: E501 + """!{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)"}}""", # noqa: E501 + """!{osquery{"label":"Retrieve Service Unisgned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'"}}""", # noqa: E501 + ] + + @staticmethod + def load_rule() -> TOMLRule: + rc = RuleCollection() + windows_rule = list(RULES_DIR.joinpath('windows').glob('*.toml'))[0] + sample_rule = rc.load_file(windows_rule) + return sample_rule + + def test_transform_guide_markdown_plugins(self) -> None: + sample_rule = self.load_rule() + rule_dict = sample_rule.contents.to_dict() + osquery_toml = dedent(""" + [transform] + [[transform.osquery]] + label = "Osquery - Retrieve DNS Cache" + query = "SELECT * FROM dns_cache" + + [[transform.osquery]] + label = "Osquery - Retrieve All Services" + query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services" + + [[transform.osquery]] + label = "Osquery - Retrieve Services Running on User Accounts" + query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)" + + [[transform.osquery]] + label = "Retrieve Service Unisgned Executables with Virustotal Link" + query = "SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'" + """.strip()) # noqa: E501 + + sample_note = dedent(""" + ## Triage and analysis + + ### Investigating Unusual Process For a Windows Host + + Searching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors. + + > **Note**: + > This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + + #### Possible investigation steps + + - Examine the host for derived artifacts that indicates suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - $osquery_0 + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - $osquery_1 + - $osquery_2 + - $osquery_3 + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + """.strip()) # noqa: E501 + + transform = pytoml.loads(osquery_toml) + rule_dict['rule']['note'] = sample_note + rule_dict.update(**transform) + + new_rule_contents = TOMLRuleContents.from_dict(rule_dict) + new_rule = TOMLRule(path=sample_rule.path, contents=new_rule_contents) + rendered_note = new_rule.contents.to_dict()['rule']['note'] + + for pattern in self.osquery_patterns: + self.assertIn(pattern, rendered_note) + + def test_plugin_conversion(self): + """Test the conversion function to ensure parsing is correct.""" + sample_rule = self.load_rule() + rule_dict = sample_rule.contents.to_dict() + rule_dict['rule']['note'] = "$osquery_0" + + for pattern in self.osquery_patterns: + transform = guide_plugin_convert_(contents=pattern) + rule_dict_copy = copy.deepcopy(rule_dict) + rule_dict_copy.update(**transform) + new_rule_contents = TOMLRuleContents.from_dict(rule_dict_copy) + new_rule = TOMLRule(path=sample_rule.path, contents=new_rule_contents) + rendered_note = new_rule.contents.to_dict()['rule']['note'] + + self.assertIn(pattern, rendered_note)