[New Rule] Clearing Windows Console History (#1623)
* Create defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update rules/windows/defense_evasion_clearing_windows_console_history.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
* Update rules/windows/defense_evasion_clearing_windows_console_history.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update rules/windows/defense_evasion_clearing_windows_console_history.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
* bump severity
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
(cherry picked from commit 13fc69b70a)
This commit is contained in:
Austin Songer
committed by
github-actions[bot]
github-actions[bot]
parent
89c49a34b5
commit
526c4e2678
@@ -0,0 +1,52 @@
|
||||
[metadata]
|
||||
creation_date = "2021/11/22"
|
||||
maturity = "production"
|
||||
updated_date = "2021/11/24"
|
||||
|
||||
[rule]
|
||||
author = ["Austin Songer"]
|
||||
description = """
|
||||
Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal
|
||||
the actions undertaken during an intrusion.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Clearing Windows Console History"
|
||||
references = [
|
||||
"https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/",
|
||||
"https://www.shellhacks.com/clear-history-powershell/",
|
||||
"https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics",
|
||||
]
|
||||
risk_score = 47
|
||||
rule_id = "b5877334-677f-4fb9-86d5-a9721274223b"
|
||||
severity = "medium"
|
||||
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
process where event.action == "start" and
|
||||
(process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or process.pe.original_file_name == "PowerShell.EXE") and
|
||||
(process.args : "*Clear-History*" or
|
||||
(process.args : ("*Remove-Item*", "rm") and process.args : ("*ConsoleHost_history.txt*", "*(Get-PSReadlineOption).HistorySavePath*")) or
|
||||
(process.args : "*Set-PSReadlineOption*" and process.args : "*SaveNothing*"))
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1070"
|
||||
name = "Indicator Removal on Host"
|
||||
reference = "https://attack.mitre.org/techniques/T1070/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1070.003"
|
||||
name = "Clear Command History"
|
||||
reference = "https://attack.mitre.org/techniques/T1070/003/"
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
reference = "https://attack.mitre.org/tactics/TA0005/"
|
||||
name = "Defense Evasion"
|
||||
Reference in New Issue
Block a user