[Security Content] Add Investigation Guides - 2 (#1822)

* Add Investigation Guides for Windows Rules - First half

* + 1/2

* Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml

* Update credential_access_mod_wdigest_security_provider.toml

* Apply suggestions from code review

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update defense_evasion_amsienable_key_mod.toml

* Update defense_evasion_amsienable_key_mod.toml

* Apply suggestions from code review

Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>

* Update command_and_control_certutil_network_connection.toml

* Apply suggestions from code review

Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>

* Update collection_winrar_encryption.toml

* Apply suggestions from code review

Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

(cherry picked from commit a3d7427d29)

rules/windows/collection_posh_screen_grabber.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/19"
 maturity = "production"
-updated_date = "2022/03/02"
+updated_date = "2022/03/07"
 
 [rule]
 author = ["Elastic"]
@@ -14,6 +14,61 @@ index = ["winlogbeat-*", "logs-windows.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "PowerShell Suspicious Script with Screenshot Capabilities"
+note = """## Triage and analysis
+
+### Investigating PowerShell Suspicious Script with Screenshot Capabilities
+
+PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, which makes
+it available for use in various environments and creates an attractive way for attackers to execute code.
+
+Attackers can abuse PowerShell capabilities and take screen captures of desktops to gather information over the course
+of an operation.
+
+#### Possible investigation steps
+
+- Examine the script content that triggered the detection. 
+- Investigate the script execution chain (parent process tree).
+- Inspect file or network events from the suspicious PowerShell host process instance.
+- Investigate other alerts associated with the user or host in the past 48 hours.
+- Consider whether the user needs PowerShell to complete its tasks.
+- Investigate if the script stores the captured data locally.
+- Investigate if the script contains exfiltration capabilities and the destination of this exfiltration.
+- Examine network data to determine if the host communicated with the exfiltration server.
+
+### False positive analysis
+
+- Regular users do not have a business justification for using scripting utilities to take screenshots, which makes false
+positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.
+
+### Related rules
+
+- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Quarantine the involved host for forensic investigation, as well as eradication and recovery activities.
+- Configure AppLocker or equivalent software to restrict access to PowerShell for regular users.
+- Reset the password for the user account.
+
+## Config
+
+The 'PowerShell Script Block Logging' logging policy must be enabled.
+Steps to implement the logging policy with with Advanced Audit Configuration:
+
+```
+Computer Configuration > 
+Administrative Templates > 
+Windows PowerShell > 
+Turn on PowerShell Script Block Logging (Enable)
+```
+
+Steps to implement the logging policy via registry:
+
+```
+reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
+```
+"""
 references = ["https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen"]
 risk_score = 47
 rule_id = "959a7353-1129-4aa7-9084-30746b256a70"

rules/windows/collection_winrar_encryption.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/04"
 maturity = "production"
-updated_date = "2021/09/23"
+updated_date = "2022/03/07"
 
 [rule]
 author = ["Elastic"]
@@ -14,6 +14,40 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Encrypting Files with WinRar or 7z"
+note = """## Triage and analysis
+
+### Investigating Encrypting Files with WinRar or 7z
+
+Attackers may compress and/or encrypt data collected before exfiltration. Compressing the data can help obfuscate the
+collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is
+being exfiltrated from detection or make exfiltration less apparent upon inspection by a defender.
+
+These steps are usually done in preparation for exfiltration, meaning the attack may be in its final stages.
+
+#### Possible investigation steps
+
+- Investigate the script execution chain (parent process tree).
+- Retrieve the encrypted file.
+- Investigate other alerts related to the user/host in the last 48 hours.
+- Check if the password used in the encryption was included in the command line.
+- Decrypt the `.rar`/`.zip` and check if the information is sensitive.
+- If the password is not available, and the format is `.zip` or the option used in WinRAR is not the `-hp`, list the
+file names included in the encrypted file.
+- Investigate if the file was transferred to an attacker-controlled server.
+
+### False positive analysis
+
+- Backup software can use these utilities. Check the `process.parent.executable` and
+`process.parent.command_line` fields to determine what triggered the encryption.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- If personally identifiable information (PII) or other classified data is involved, investigations into this should be prioritized.
+- Quarantine the involved host for forensic investigation, as well as eradication and recovery activities.
+- Reset the passwords of the involved accounts.
+- Safeguard critical assets to prevent further harm or theft of data.
+"""
 references = ["https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/"]
 risk_score = 47
 rule_id = "45d273fb-1dca-457d-9855-bcb302180c21"

rules/windows/command_and_control_certutil_network_connection.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/03/19"
 maturity = "production"
-updated_date = "2021/05/26"
+updated_date = "2022/03/07"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,46 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Network Connection via Certutil"
-references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
+note = """## Triage and analysis
+
+### Investigating Network Connection via Certutil
+
+Attackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources
+in order to take the next steps in a compromised environment.
+
+This rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in
+[IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)
+
+#### Possible investigation steps
+
+- Investigate the script execution chain (parent process tree).
+- Investigate other alerts related to the user/host in the last 48 hours.
+- Investigate if the downloaded file was executed.
+- Determine the context in which `certutil.exe` and the file were run.
+- Retrieve the file downloaded and:
+  - Use a sandboxed malware analysis system to perform analysis.
+    - Observe attempts of contacting external domains and addresses.
+  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
+    - Search for the existence of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+
+### False positive analysis
+
+- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified
+anything suspicious, this alert can be closed as a false positive.
+- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination
+of user and command line conditions.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved host to prevent further post-compromise behavior.
+- If the triage identified malware, search the environment for additional compromised hosts.
+- Implement any temporary network rules, procedures, and segmentation required to contain the malware.
+"""
+references = [
+    "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml",
+    "https://frsecure.com/malware-incident-response-playbook/",
+]
 risk_score = 21
 rule_id = "3838e0e3-1850-4850-a411-2e8c5ba40ba8"
 severity = "low"

rules/windows/command_and_control_common_webservices.toml

@@ -1,21 +1,54 @@
 [metadata]
 creation_date = "2020/11/04"
 maturity = "production"
-updated_date = "2022/02/14"
+updated_date = "2022/03/07"
 
 [rule]
 author = ["Elastic"]
 description = """
-Adversaries may implement command and control communications that use common web services in order to hide their
-activity. This attack technique is typically targeted to an organization and uses web services common to the victim
-network which allows the adversary to blend into legitimate traffic. activity. These popular services are typically
-targeted since they have most likely been used before a compromise and allow adversaries to blend in the network.
+Adversaries may implement command and control (C2) communications that use common web services to hide their
+activity. This attack technique is typically targeted at an organization and uses web services common to the victim
+network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically
+targeted since they have most likely been used before compromise, which helps malicious traffic blend in.
 """
 from = "now-9m"
 index = ["logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Connection to Commonly Abused Web Services"
+note = """## Triage and analysis
+
+### Investigating Connection to Commonly Abused Web Services
+
+Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised
+system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the
+likelihood that hosts within a network are already communicating with them prior to a compromise.
+
+This rule looks for processes outside known legitimate program locations communicating with a list of services that can
+be abused for exfiltration or command and control.
+
+#### Possible investigation steps
+
+- Investigate the script execution chain (parent process tree).
+- Investigate other alerts related to the user/host in the last 48 hours.
+- Verify whether the digital signature exists in the executable.
+- Identify the kind of the operation (upload, download, tunneling, etc.).
+- Use a sandboxed malware analysis system to perform analysis on the executable.
+- Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
+  - Search for the existence of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+
+### False positive analysis
+
+- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy
+false positives can be added as exceptions.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved host to prevent further post-compromise behavior.
+- If the triage identified malware, search the environment for additional compromised hosts.
+- Implement any temporary network rules, procedures, and segmentation required to contain the malware.
+"""
 risk_score = 21
 rule_id = "66883649-f908-4a5b-a1e0-54090a1d3a32"
 severity = "low"

rules/windows/command_and_control_dns_tunneling_nslookup.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/11"
 maturity = "production"
-updated_date = "2021/09/23"
+updated_date = "2022/03/07"
 
 [rule]
 author = ["Elastic"]
@@ -14,6 +14,42 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Potential DNS Tunneling via NsLookup"
+note = """## Triage and analysis
+
+### Investigating Potential DNS Tunneling via NsLookup
+
+Attackers can abuse existing network rules that allow DNS communication with external resources to use the protocol as
+their command and control and/or exfiltration channel.
+
+DNS queries can be used to infiltrate data such as commands to be run, malicious files, etc., and also for exfiltration,
+since queries can be used to send data to the attacker-controlled DNS server. This process is commonly known as DNS tunneling.
+
+More information on how tunneling works and how it can be abused can be found on
+[Palo Alto Unit42 Research](https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors).
+
+#### Possible investigation steps
+
+- Investigate the script execution chain (parent process tree).
+- Investigate other alerts related to the user/host in the last 48 hours.
+- Inspect the DNS query and identify the information sent.
+- Extract this communication's indicators of compromise (IoCs) and use traffic logs to search for other potentially compromised hosts.
+
+### False positive analysis
+
+- This mechanism can be used legitimately. If the parent process is trusted and the data sent is not sensitive nor
+command and control related, this alert can be closed.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved host to prevent further post-compromise behavior.
+- Immediately block the IoCs identified on the triage.
+- Implement any temporary network rules, procedures, and segmentation required to contain the attack.
+- Capture forensic images to preserve evidence.
+- Reset the password for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
+- Update firewall rules to be more restrictive.
+- Reimage affected systems.
+"""
 references = ["https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/"]
 risk_score = 47
 rule_id = "3a59fc81-99d3-47ea-8cd6-d48d561fca20"

rules/windows/credential_access_mod_wdigest_security_provider.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/19"
 maturity = "production"
-updated_date = "2022/02/03"
+updated_date = "2022/03/07"
 
 [rule]
 author = ["Elastic"]
@@ -16,9 +16,57 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Modification of WDigest Security Provider"
+note = """## Triage and analysis.
+
+### Investigating Modification of WDigest Security Provider
+
+In Windows XP, Microsoft added support for a protocol known as WDigest. The WDigest protocol allows clients to send
+cleartext credentials to Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) applications
+based on RFC 2617 and 2831. Windows versions up to 8 and 2012 store logon credentials in memory in plaintext by default,
+which is no longer the case with newer Windows versions.
+
+Still, attackers can force WDigest to store the passwords insecurely on the memory by modifying the
+`HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential` registry key. This activity is
+commonly related to the execution of credential dumping tools.
+
+#### Possible investigation steps
+
+- It is unlikely that the monitored registry key was modified legitimately in newer versions of Windows. Analysts should
+treat any activity triggered from this rule with high priority as it typically represents an active adversary.
+- Investigate the script execution chain (parent process tree).
+- Investigate other alerts related to the user/host in the last 48 hours.
+- Determine if credential dumping tools were run on the host and if any suspicious tool is found:
+  - Retrieve the file.
+  - Use a sandboxed malware analysis system to perform analysis.
+  - Observe attempts to contact external domains and addresses.
+  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
+    - Search for the existence of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+- Use process name, command line, and file hash to search for other compromised hosts.
+- Scope potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target
+host after the registry modification.
+
+### False positive analysis
+
+- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and
+monitored by the security team, as these modifications expose the entire domain to credential compromises and
+consequently unauthorized access.
+
+### Related rules
+
+- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved hosts to prevent further post-compromise behavior.
+- Disable user account’s ability to log in remotely.
+- Reset the password for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
+- Reimage the host operating system and restore compromised files to clean versions.
+"""
 references = [
     "https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html",
     "https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019",
+    "https://frsecure.com/compromised-credentials-response-playbook",
 ]
 risk_score = 73
 rule_id = "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5"

rules/windows/defense_evasion_amsienable_key_mod.toml

@@ -1,20 +1,62 @@
 [metadata]
 creation_date = "2021/06/01"
 maturity = "production"
-updated_date = "2022/02/28"
+updated_date = "2022/03/07"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies when JScript tries to query the AmsiEnable registry key from the HKEY_USERS registry hive before initializing Antimalware
-Scan Interface (AMSI). If this key is set to 0, AMSI is not enabled for the JScript process. An adversary can modify
-this key to disable AMSI protections.
+Identifies modifications of the AmsiEnable registry key to 0, which disables the Antimalware Scan Interface (AMSI). An
+adversary can modify this key to disable AMSI protections.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Modification of AmsiEnable Registry Key"
+note = """## Triage and analysis
+
+### Investigating Modification of AmsiEnable Registry Key
+
+The Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and
+services to integrate with any antimalware product that's present on a machine. AMSI provides integration with multiple
+Windows components, ranging from User Account Control (UAC) to VBA Macros.
+
+Since AMSI is widely used across security products for increased visibility, attackers can disable it to evade
+detections that rely on it.
+
+This rule monitors the modifications to the Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable registry key.
+
+#### Possible investigation steps
+
+- Identify the user that performed the action.
+- Check whether this user should be doing this kind of activity.
+- Investigate program execution chain (parent process tree).
+- Investigate other alerts related to the user/host in the last 48 hours.
+- Investigate the execution of scripts and macros after the registry modification.
+- Retrieve script/office files:
+  - Use a sandboxed malware analysis system to perform analysis.
+    - Observe attempts to contact external domains and addresses.
+  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
+    - Search for the existence of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+- Use process name, command line, and file hash to search for occurrences on other hosts.
+
+### False positive analysis
+
+- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and
+monitored by the security team, as these modifications expose the host to malware infections.
+
+### Related rules
+
+- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved hosts to prevent further post-compromise behavior.
+- If malware was found, implement temporary network rules, procedures, and segmentation required to contain it.
+- Delete or set the key to its default value.
+"""
 references = [
     "https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf",
     "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal",

rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml

@@ -14,6 +14,56 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Volume Shadow Copy Deleted or Resized via VssAdmin"
+note = """## Triage and analysis.
+
+### Investigating Volume Shadow Copy Deleted or Resized via VssAdmin
+
+The Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes
+that can later be restored or mounted to recover specific files or folders.
+
+A typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow
+Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow
+copies worth monitoring.
+
+This rule monitors the execution of Vssadmin.exe to either delete or resize shadow copies.
+
+#### Possible investigation steps
+
+- Investigate the program execution chain (parent process tree).
+- Check whether the account is authorized to perform this operation.
+- Confirm whether the account owner is aware of the operation.
+- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.
+- Investigate other alerts related to the user/host in the last 48 hours.
+- If unsigned files are found on the process tree:
+  - Capture copies of the files.
+  - Use a sandboxed malware analysis system to perform analysis.
+    - Observe attempts to contact external domains and addresses.
+  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
+    - Search for the existence of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+- Use process name, command line, and file hash to search for occurrences in other hosts.
+- Check if any files on the host machine have been encrypted.
+
+
+### False positive analysis
+
+- This rule may produce benign true positives (B-TPs). If this activity is expected and noisy in your
+environment, consider adding exceptions — preferably with a combination of user and command line conditions.
+
+### Related rules
+
+- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921
+- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Priority should be given due to the advanced stage of this activity on the attack.
+- If malware was found, isolate the involved hosts to prevent the infection of other hosts.
+- Disable the involved accounts, or restrict their ability to log on remotely.
+- If data was encrypted, deleted, or modified, activate your data recovery plan.
+- Reset the password of the involved accounts.
+- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).
+"""
 risk_score = 73
 rule_id = "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921"
 severity = "high"

rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/07/19"
 maturity = "production"
-updated_date = "2021/10/17"
+updated_date = "2022/03/08"
 
 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -14,6 +14,56 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Volume Shadow Copy Deletion via PowerShell"
+note = """## Triage and analysis
+
+### Investigating Volume Shadow Copy Deletion via PowerShell
+
+The Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes
+that can later be restored or mounted to recover specific files or folders.
+
+A typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow
+Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow
+copies worth monitoring.
+
+This rule monitors the execution of PowerShell cmdlets to interact with the Win32_ShadowCopy WMI class, retrieve shadow
+copy objects, and delete them.
+
+#### Possible investigation steps
+
+- Investigate the program execution chain (parent process tree).
+- Check whether the account is authorized to perform this operation.
+- Confirm whether the account owner is aware of the operation.
+- Investigate other alerts related to the user/host in the last 48 hours.
+- If unsigned files are found on the process tree:
+  - Capture copies of the files.
+  - Use a sandboxed malware analysis system to perform analysis.
+    - Observe attempts of contacting external domains and addresses.
+  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
+    - Search for the existence of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+- Use process name, command line, and file hash to search for occurrences in other hosts.
+- Check if any files on the host machine have been encrypted.
+
+
+### False positive analysis
+
+- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your
+environment, consider adding exceptions — preferably with a combination of user and command line conditions.
+
+### Related rules
+
+- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921
+- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Priority should be given due to the advanced stage of this activity on the attack.
+- If malware was found, isolate the involved hosts to prevent the infection of other hosts.
+- Disable the involved accounts, or restrict their ability to log on remotely.
+- If data was encrypted, deleted, or modified, activate your data recovery plan.
+- Reset the password of the involved accounts.
+- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).
+"""
 references = [
     "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/win32-shadowcopy",
     "https://powershell.one/wmi/root/cimv2/win32_shadowcopy",

rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2021/09/23"
+updated_date = "2022/03/08"
 
 [rule]
 author = ["Elastic"]
@@ -14,6 +14,56 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Volume Shadow Copy Deletion via WMIC"
+note = """## Triage and analysis
+
+### Investigating Volume Shadow Copy Deletion via WMIC
+
+The Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes
+that can later be restored or mounted to recover specific files or folders.
+
+A typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow
+Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow
+copies worth monitoring.
+
+This rule monitors the execution of `wmic.exe` to interact with VSS via the `shadowcopy` alias and delete parameter.
+
+#### Possible investigation steps
+
+- Investigate the program execution chain (parent process tree).
+- Check whether the account is authorized to perform this operation.
+- Confirm whether the account owner is aware of the operation.
+- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.
+- Investigate other alerts related to the user/host in the last 48 hours.
+- If unsigned files are found on the process tree:
+  - Capture copies of the files.
+  - Use a sandboxed malware analysis system to perform analysis.
+    - Observe attempts of contacting external domains and addresses.
+  - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
+    - Search for the existence of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+- Use process name, command line, and file hash to search for occurrences in other hosts.
+- Check if any files on the host machine have been encrypted.
+
+
+### False positive analysis
+
+- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your
+environment, consider adding exceptions — preferably with a combination of user and command line conditions.
+
+### Related rules
+
+- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921
+- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Priority should be given due to the advanced stage of this activity on the attack.
+- If malware was found, isolate the involved hosts to prevent the infection of other hosts.
+- Disable the involved accounts, or restrict their ability to log on remotely.
+- If data was encrypted, deleted, or modified, activate your data recovery plan.
+- Reset the password of the involved accounts.
+- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).
+"""
 risk_score = 73
 rule_id = "dc9c1f74-dac3-48e3-b47f-eb79db358f57"
 severity = "high"