From 5a263b253d63f751e2021ab61845c3c4cec8d224 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Wed, 30 Mar 2022 14:43:55 -0300 Subject: [PATCH] [Security Content] Add Investigation Guides - 2 (#1822) * Add Investigation Guides for Windows Rules - First half * + 1/2 * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update credential_access_mod_wdigest_security_provider.toml * Apply suggestions from code review Co-authored-by: Mika Ayenson * Update defense_evasion_amsienable_key_mod.toml * Update defense_evasion_amsienable_key_mod.toml * Apply suggestions from code review Co-authored-by: benironside <91905639+benironside@users.noreply.github.com> * Update command_and_control_certutil_network_connection.toml * Apply suggestions from code review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: Joe Peeples Co-authored-by: benironside <91905639+benironside@users.noreply.github.com> * Update collection_winrar_encryption.toml * Apply suggestions from code review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Mika Ayenson Co-authored-by: benironside <91905639+benironside@users.noreply.github.com> Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: Joe Peeples (cherry picked from commit a3d7427d291bfdf01afd6b872b69f7d46a9cbf16) --- .../collection_posh_screen_grabber.toml | 57 ++++++++++++++++++- .../windows/collection_winrar_encryption.toml | 36 +++++++++++- ...d_control_certutil_network_connection.toml | 43 +++++++++++++- ...ommand_and_control_common_webservices.toml | 43 ++++++++++++-- ...nd_and_control_dns_tunneling_nslookup.toml | 38 ++++++++++++- ..._access_mod_wdigest_security_provider.toml | 50 +++++++++++++++- .../defense_evasion_amsienable_key_mod.toml | 50 ++++++++++++++-- ...copy_deletion_or_resized_via_vssadmin.toml | 50 ++++++++++++++++ ...e_shadow_copy_deletion_via_powershell.toml | 52 ++++++++++++++++- ..._volume_shadow_copy_deletion_via_wmic.toml | 52 ++++++++++++++++- 10 files changed, 454 insertions(+), 17 deletions(-) diff --git a/rules/windows/collection_posh_screen_grabber.toml b/rules/windows/collection_posh_screen_grabber.toml index a4e9cd34c..a5431f362 100644 --- a/rules/windows/collection_posh_screen_grabber.toml +++ b/rules/windows/collection_posh_screen_grabber.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/19" maturity = "production" -updated_date = "2022/03/02" +updated_date = "2022/03/07" [rule] author = ["Elastic"] @@ -14,6 +14,61 @@ index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" license = "Elastic License v2" name = "PowerShell Suspicious Script with Screenshot Capabilities" +note = """## Triage and analysis + +### Investigating PowerShell Suspicious Script with Screenshot Capabilities + +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, which makes +it available for use in various environments and creates an attractive way for attackers to execute code. + +Attackers can abuse PowerShell capabilities and take screen captures of desktops to gather information over the course +of an operation. + +#### Possible investigation steps + +- Examine the script content that triggered the detection. +- Investigate the script execution chain (parent process tree). +- Inspect file or network events from the suspicious PowerShell host process instance. +- Investigate other alerts associated with the user or host in the past 48 hours. +- Consider whether the user needs PowerShell to complete its tasks. +- Investigate if the script stores the captured data locally. +- Investigate if the script contains exfiltration capabilities and the destination of this exfiltration. +- Examine network data to determine if the host communicated with the exfiltration server. + +### False positive analysis + +- Regular users do not have a business justification for using scripting utilities to take screenshots, which makes false +positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added. + +### Related rules + +- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Quarantine the involved host for forensic investigation, as well as eradication and recovery activities. +- Configure AppLocker or equivalent software to restrict access to PowerShell for regular users. +- Reset the password for the user account. + +## Config + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` +""" references = ["https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen"] risk_score = 47 rule_id = "959a7353-1129-4aa7-9084-30746b256a70" diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index 2beedc917..ef3562947 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2021/09/23" +updated_date = "2022/03/07" [rule] author = ["Elastic"] @@ -14,6 +14,40 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Encrypting Files with WinRar or 7z" +note = """## Triage and analysis + +### Investigating Encrypting Files with WinRar or 7z + +Attackers may compress and/or encrypt data collected before exfiltration. Compressing the data can help obfuscate the +collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is +being exfiltrated from detection or make exfiltration less apparent upon inspection by a defender. + +These steps are usually done in preparation for exfiltration, meaning the attack may be in its final stages. + +#### Possible investigation steps + +- Investigate the script execution chain (parent process tree). +- Retrieve the encrypted file. +- Investigate other alerts related to the user/host in the last 48 hours. +- Check if the password used in the encryption was included in the command line. +- Decrypt the `.rar`/`.zip` and check if the information is sensitive. +- If the password is not available, and the format is `.zip` or the option used in WinRAR is not the `-hp`, list the +file names included in the encrypted file. +- Investigate if the file was transferred to an attacker-controlled server. + +### False positive analysis + +- Backup software can use these utilities. Check the `process.parent.executable` and +`process.parent.command_line` fields to determine what triggered the encryption. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- If personally identifiable information (PII) or other classified data is involved, investigations into this should be prioritized. +- Quarantine the involved host for forensic investigation, as well as eradication and recovery activities. +- Reset the passwords of the involved accounts. +- Safeguard critical assets to prevent further harm or theft of data. +""" references = ["https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/"] risk_score = 47 rule_id = "45d273fb-1dca-457d-9855-bcb302180c21" diff --git a/rules/windows/command_and_control_certutil_network_connection.toml b/rules/windows/command_and_control_certutil_network_connection.toml index 61fea0d16..f513541f6 100644 --- a/rules/windows/command_and_control_certutil_network_connection.toml +++ b/rules/windows/command_and_control_certutil_network_connection.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/19" maturity = "production" -updated_date = "2021/05/26" +updated_date = "2022/03/07" [rule] author = ["Elastic"] @@ -14,7 +14,46 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Network Connection via Certutil" -references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"] +note = """## Triage and analysis + +### Investigating Network Connection via Certutil + +Attackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources +in order to take the next steps in a compromised environment. + +This rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in +[IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml) + +#### Possible investigation steps + +- Investigate the script execution chain (parent process tree). +- Investigate other alerts related to the user/host in the last 48 hours. +- Investigate if the downloaded file was executed. +- Determine the context in which `certutil.exe` and the file were run. +- Retrieve the file downloaded and: + - Use a sandboxed malware analysis system to perform analysis. + - Observe attempts of contacting external domains and addresses. + - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file. + - Search for the existence of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified +anything suspicious, this alert can be closed as a false positive. +- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination +of user and command line conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. +- Implement any temporary network rules, procedures, and segmentation required to contain the malware. +""" +references = [ + "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", + "https://frsecure.com/malware-incident-response-playbook/", +] risk_score = 21 rule_id = "3838e0e3-1850-4850-a411-2e8c5ba40ba8" severity = "low" diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index 59bafda14..999ce8f93 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -1,21 +1,54 @@ [metadata] creation_date = "2020/11/04" maturity = "production" -updated_date = "2022/02/14" +updated_date = "2022/03/07" [rule] author = ["Elastic"] description = """ -Adversaries may implement command and control communications that use common web services in order to hide their -activity. This attack technique is typically targeted to an organization and uses web services common to the victim -network which allows the adversary to blend into legitimate traffic. activity. These popular services are typically -targeted since they have most likely been used before a compromise and allow adversaries to blend in the network. +Adversaries may implement command and control (C2) communications that use common web services to hide their +activity. This attack technique is typically targeted at an organization and uses web services common to the victim +network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically +targeted since they have most likely been used before compromise, which helps malicious traffic blend in. """ from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Connection to Commonly Abused Web Services" +note = """## Triage and analysis + +### Investigating Connection to Commonly Abused Web Services + +Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised +system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the +likelihood that hosts within a network are already communicating with them prior to a compromise. + +This rule looks for processes outside known legitimate program locations communicating with a list of services that can +be abused for exfiltration or command and control. + +#### Possible investigation steps + +- Investigate the script execution chain (parent process tree). +- Investigate other alerts related to the user/host in the last 48 hours. +- Verify whether the digital signature exists in the executable. +- Identify the kind of the operation (upload, download, tunneling, etc.). +- Use a sandboxed malware analysis system to perform analysis on the executable. +- Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file. + - Search for the existence of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy +false positives can be added as exceptions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. +- Implement any temporary network rules, procedures, and segmentation required to contain the malware. +""" risk_score = 21 rule_id = "66883649-f908-4a5b-a1e0-54090a1d3a32" severity = "low" diff --git a/rules/windows/command_and_control_dns_tunneling_nslookup.toml b/rules/windows/command_and_control_dns_tunneling_nslookup.toml index 29aa6f679..86bbc07d3 100644 --- a/rules/windows/command_and_control_dns_tunneling_nslookup.toml +++ b/rules/windows/command_and_control_dns_tunneling_nslookup.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/11" maturity = "production" -updated_date = "2021/09/23" +updated_date = "2022/03/07" [rule] author = ["Elastic"] @@ -14,6 +14,42 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "kuery" license = "Elastic License v2" name = "Potential DNS Tunneling via NsLookup" +note = """## Triage and analysis + +### Investigating Potential DNS Tunneling via NsLookup + +Attackers can abuse existing network rules that allow DNS communication with external resources to use the protocol as +their command and control and/or exfiltration channel. + +DNS queries can be used to infiltrate data such as commands to be run, malicious files, etc., and also for exfiltration, +since queries can be used to send data to the attacker-controlled DNS server. This process is commonly known as DNS tunneling. + +More information on how tunneling works and how it can be abused can be found on +[Palo Alto Unit42 Research](https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors). + +#### Possible investigation steps + +- Investigate the script execution chain (parent process tree). +- Investigate other alerts related to the user/host in the last 48 hours. +- Inspect the DNS query and identify the information sent. +- Extract this communication's indicators of compromise (IoCs) and use traffic logs to search for other potentially compromised hosts. + +### False positive analysis + +- This mechanism can be used legitimately. If the parent process is trusted and the data sent is not sensitive nor +command and control related, this alert can be closed. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- Immediately block the IoCs identified on the triage. +- Implement any temporary network rules, procedures, and segmentation required to contain the attack. +- Capture forensic images to preserve evidence. +- Reset the password for the user account and other potentially compromised accounts (email, services, CRMs, etc.). +- Update firewall rules to be more restrictive. +- Reimage affected systems. +""" references = ["https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/"] risk_score = 47 rule_id = "3a59fc81-99d3-47ea-8cd6-d48d561fca20" diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index 58faf8624..77230f939 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2022/02/03" +updated_date = "2022/03/07" [rule] author = ["Elastic"] @@ -16,9 +16,57 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Modification of WDigest Security Provider" +note = """## Triage and analysis. + +### Investigating Modification of WDigest Security Provider + +In Windows XP, Microsoft added support for a protocol known as WDigest. The WDigest protocol allows clients to send +cleartext credentials to Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) applications +based on RFC 2617 and 2831. Windows versions up to 8 and 2012 store logon credentials in memory in plaintext by default, +which is no longer the case with newer Windows versions. + +Still, attackers can force WDigest to store the passwords insecurely on the memory by modifying the +`HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential` registry key. This activity is +commonly related to the execution of credential dumping tools. + +#### Possible investigation steps + +- It is unlikely that the monitored registry key was modified legitimately in newer versions of Windows. Analysts should +treat any activity triggered from this rule with high priority as it typically represents an active adversary. +- Investigate the script execution chain (parent process tree). +- Investigate other alerts related to the user/host in the last 48 hours. +- Determine if credential dumping tools were run on the host and if any suspicious tool is found: + - Retrieve the file. + - Use a sandboxed malware analysis system to perform analysis. + - Observe attempts to contact external domains and addresses. + - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file. + - Search for the existence of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Use process name, command line, and file hash to search for other compromised hosts. +- Scope potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target +host after the registry modification. + +### False positive analysis + +- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and +monitored by the security team, as these modifications expose the entire domain to credential compromises and +consequently unauthorized access. + +### Related rules + +- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Disable user account’s ability to log in remotely. +- Reset the password for the user account and other potentially compromised accounts (email, services, CRMs, etc.). +- Reimage the host operating system and restore compromised files to clean versions. +""" references = [ "https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html", "https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019", + "https://frsecure.com/compromised-credentials-response-playbook", ] risk_score = 73 rule_id = "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5" diff --git a/rules/windows/defense_evasion_amsienable_key_mod.toml b/rules/windows/defense_evasion_amsienable_key_mod.toml index e2d3b86b7..d4783ecab 100644 --- a/rules/windows/defense_evasion_amsienable_key_mod.toml +++ b/rules/windows/defense_evasion_amsienable_key_mod.toml @@ -1,20 +1,62 @@ [metadata] creation_date = "2021/06/01" maturity = "production" -updated_date = "2022/02/28" +updated_date = "2022/03/07" [rule] author = ["Elastic"] description = """ -Identifies when JScript tries to query the AmsiEnable registry key from the HKEY_USERS registry hive before initializing Antimalware -Scan Interface (AMSI). If this key is set to 0, AMSI is not enabled for the JScript process. An adversary can modify -this key to disable AMSI protections. +Identifies modifications of the AmsiEnable registry key to 0, which disables the Antimalware Scan Interface (AMSI). An +adversary can modify this key to disable AMSI protections. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Modification of AmsiEnable Registry Key" +note = """## Triage and analysis + +### Investigating Modification of AmsiEnable Registry Key + +The Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and +services to integrate with any antimalware product that's present on a machine. AMSI provides integration with multiple +Windows components, ranging from User Account Control (UAC) to VBA Macros. + +Since AMSI is widely used across security products for increased visibility, attackers can disable it to evade +detections that rely on it. + +This rule monitors the modifications to the Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable registry key. + +#### Possible investigation steps + +- Identify the user that performed the action. +- Check whether this user should be doing this kind of activity. +- Investigate program execution chain (parent process tree). +- Investigate other alerts related to the user/host in the last 48 hours. +- Investigate the execution of scripts and macros after the registry modification. +- Retrieve script/office files: + - Use a sandboxed malware analysis system to perform analysis. + - Observe attempts to contact external domains and addresses. + - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file. + - Search for the existence of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Use process name, command line, and file hash to search for occurrences on other hosts. + +### False positive analysis + +- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and +monitored by the security team, as these modifications expose the host to malware infections. + +### Related rules + +- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If malware was found, implement temporary network rules, procedures, and segmentation required to contain it. +- Delete or set the key to its default value. +""" references = [ "https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf", "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal", diff --git a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml index fd5efb7da..8a1bbfc52 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml @@ -14,6 +14,56 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Volume Shadow Copy Deleted or Resized via VssAdmin" +note = """## Triage and analysis. + +### Investigating Volume Shadow Copy Deleted or Resized via VssAdmin + +The Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes +that can later be restored or mounted to recover specific files or folders. + +A typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow +Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow +copies worth monitoring. + +This rule monitors the execution of Vssadmin.exe to either delete or resize shadow copies. + +#### Possible investigation steps + +- Investigate the program execution chain (parent process tree). +- Check whether the account is authorized to perform this operation. +- Confirm whether the account owner is aware of the operation. +- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB. +- Investigate other alerts related to the user/host in the last 48 hours. +- If unsigned files are found on the process tree: + - Capture copies of the files. + - Use a sandboxed malware analysis system to perform analysis. + - Observe attempts to contact external domains and addresses. + - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file. + - Search for the existence of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Use process name, command line, and file hash to search for occurrences in other hosts. +- Check if any files on the host machine have been encrypted. + + +### False positive analysis + +- This rule may produce benign true positives (B-TPs). If this activity is expected and noisy in your +environment, consider adding exceptions — preferably with a combination of user and command line conditions. + +### Related rules + +- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921 +- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Priority should be given due to the advanced stage of this activity on the attack. +- If malware was found, isolate the involved hosts to prevent the infection of other hosts. +- Disable the involved accounts, or restrict their ability to log on remotely. +- If data was encrypted, deleted, or modified, activate your data recovery plan. +- Reset the password of the involved accounts. +- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.). +""" risk_score = 73 rule_id = "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921" severity = "high" diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml index 57bcfe182..f45d7890d 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/07/19" maturity = "production" -updated_date = "2021/10/17" +updated_date = "2022/03/08" [rule] author = ["Elastic", "Austin Songer"] @@ -14,6 +14,56 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Volume Shadow Copy Deletion via PowerShell" +note = """## Triage and analysis + +### Investigating Volume Shadow Copy Deletion via PowerShell + +The Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes +that can later be restored or mounted to recover specific files or folders. + +A typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow +Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow +copies worth monitoring. + +This rule monitors the execution of PowerShell cmdlets to interact with the Win32_ShadowCopy WMI class, retrieve shadow +copy objects, and delete them. + +#### Possible investigation steps + +- Investigate the program execution chain (parent process tree). +- Check whether the account is authorized to perform this operation. +- Confirm whether the account owner is aware of the operation. +- Investigate other alerts related to the user/host in the last 48 hours. +- If unsigned files are found on the process tree: + - Capture copies of the files. + - Use a sandboxed malware analysis system to perform analysis. + - Observe attempts of contacting external domains and addresses. + - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file. + - Search for the existence of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Use process name, command line, and file hash to search for occurrences in other hosts. +- Check if any files on the host machine have been encrypted. + + +### False positive analysis + +- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your +environment, consider adding exceptions — preferably with a combination of user and command line conditions. + +### Related rules + +- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921 +- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Priority should be given due to the advanced stage of this activity on the attack. +- If malware was found, isolate the involved hosts to prevent the infection of other hosts. +- Disable the involved accounts, or restrict their ability to log on remotely. +- If data was encrypted, deleted, or modified, activate your data recovery plan. +- Reset the password of the involved accounts. +- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.). +""" references = [ "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/win32-shadowcopy", "https://powershell.one/wmi/root/cimv2/win32_shadowcopy", diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml index d8eb0e4d5..92bc9f5f3 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/09/23" +updated_date = "2022/03/08" [rule] author = ["Elastic"] @@ -14,6 +14,56 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Volume Shadow Copy Deletion via WMIC" +note = """## Triage and analysis + +### Investigating Volume Shadow Copy Deletion via WMIC + +The Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes +that can later be restored or mounted to recover specific files or folders. + +A typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow +Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow +copies worth monitoring. + +This rule monitors the execution of `wmic.exe` to interact with VSS via the `shadowcopy` alias and delete parameter. + +#### Possible investigation steps + +- Investigate the program execution chain (parent process tree). +- Check whether the account is authorized to perform this operation. +- Confirm whether the account owner is aware of the operation. +- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB. +- Investigate other alerts related to the user/host in the last 48 hours. +- If unsigned files are found on the process tree: + - Capture copies of the files. + - Use a sandboxed malware analysis system to perform analysis. + - Observe attempts of contacting external domains and addresses. + - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file. + - Search for the existence of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Use process name, command line, and file hash to search for occurrences in other hosts. +- Check if any files on the host machine have been encrypted. + + +### False positive analysis + +- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your +environment, consider adding exceptions — preferably with a combination of user and command line conditions. + +### Related rules + +- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921 +- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Priority should be given due to the advanced stage of this activity on the attack. +- If malware was found, isolate the involved hosts to prevent the infection of other hosts. +- Disable the involved accounts, or restrict their ability to log on remotely. +- If data was encrypted, deleted, or modified, activate your data recovery plan. +- Reset the password of the involved accounts. +- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.). +""" risk_score = 73 rule_id = "dc9c1f74-dac3-48e3-b47f-eb79db358f57" severity = "high"