[Security Content] Introduce Osquery Markdown Plugin Queries in Investigation Guides (#2387)
* [Security Content] Introduce Osquery Markdown Plugin Queries in Investigation Guides * Remove min_stack and add Note * Fix Typo and preffix * Update command_and_control_certutil_network_connection.toml * Add unit test to check Note about Osquery Markdown plugin and Version limitations * Update test_all_rules.py * Update test_all_rules.py * Change Note Verbiage
This commit is contained in:
Jonhnathan
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2020/03/19"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -26,6 +26,9 @@ in order to take the next steps in a compromised environment.
|
||||
This rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in
|
||||
[IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for
|
||||
@@ -33,15 +36,22 @@ prevalence, whether they are located in expected locations, and if they are sign
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Investigate if the downloaded file was executed.
|
||||
- Determine the context in which `certutil.exe` and the file were run.
|
||||
- Retrieve the downloaded file and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze the downloaded file using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/04"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/11/01"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -29,6 +29,9 @@ likelihood that hosts within a network are already communicating with them prior
|
||||
This rule looks for processes outside known legitimate program locations communicating with a list of services that can
|
||||
be abused for exfiltration or command and control.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for
|
||||
@@ -36,15 +39,22 @@ prevalence, whether they are located in expected locations, and if they are sign
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Verify whether the digital signature exists in the executable.
|
||||
- Identify the operation type (upload, download, tunneling, etc.).
|
||||
- Retrieve the process executable and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze the process executable using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2020/09/03"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/27"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -26,6 +26,9 @@ and control channel. However, they can also abuse signed utilities to drop these
|
||||
The `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the
|
||||
`lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
@@ -36,16 +39,22 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
|
||||
- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file
|
||||
from an internal system.
|
||||
- Retrieve the file and determine if it is malicious:
|
||||
- Identify the file type.
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze the file using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2020/09/03"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/27"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -24,6 +24,9 @@ The `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used t
|
||||
Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files,
|
||||
including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
@@ -32,15 +35,22 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Contact the account owner and confirm whether they are aware of this activity.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Check the reputation of the domain or IP address used to host the downloaded file.
|
||||
- Retrieve the file and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze the file using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/30"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -25,6 +25,9 @@ available for use in various environments and creates an attractive way for atta
|
||||
actions. This rule correlates network and file events to detect downloads of executable and script files performed using
|
||||
PowerShell.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
@@ -33,15 +36,22 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Evaluate whether the user needs to use PowerShell to complete tasks.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Check the reputation of the domain or IP address used to host the downloaded file.
|
||||
- Retrieve the file and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze the file using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/29"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -28,23 +28,29 @@ can also use them to download tools and utilities needed to accomplish their goa
|
||||
|
||||
This rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
|
||||
- Retrieve the script file and the executable involved and determine if they are malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Manually analyze the script to determine if malicious capabilities are present.
|
||||
- Investigate whether the potential malware ran successfully, is active on the host, or was stopped by defenses.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze both the script and the executable involved using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2020/12/14"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -34,22 +34,29 @@ More details on SUNBURST can be found on the [Mandiant Report](https://www.mandi
|
||||
This rule identifies suspicious network connections that attempt to blend in with legitimate SolarWinds activity
|
||||
by imitating the Orion Improvement Program (OIP) protocol behavior.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
|
||||
- Retrieve the executable involved:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Investigate whether the potential malware ran successfully, is active on the host, or was stopped by defenses.
|
||||
- Investigate the network traffic.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze the executable involved using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2020/09/02"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/27"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -24,6 +24,9 @@ TeamViewer is a remote access and remote control tool used by helpdesks and syst
|
||||
support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other
|
||||
malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
@@ -32,15 +35,22 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this
|
||||
access.
|
||||
- Retrieve the file and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze the file using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2020/03/25"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -32,6 +32,9 @@ application control defenses that are configured to allow `MSBuild.exe` executio
|
||||
This rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, which indicates the execution of
|
||||
credential access activities.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
@@ -40,15 +43,22 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
modifications, and any spawned child processes.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Examine the command line to identify the `.csproj` file location.
|
||||
- Retrieve the file and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze the file using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target
|
||||
host after the registry modification.
|
||||
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/02"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -32,6 +32,9 @@ Domain-joined hosts usually perform Kerberos traffic using the `lsass.exe` proce
|
||||
traffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of
|
||||
Kerberos tickets.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
@@ -39,15 +42,22 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Check if the Destination IP is related to a Domain Controller.
|
||||
- Review event ID 4769 for suspicious ticket requests.
|
||||
- Retrieve the process executable and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze the process executable using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2022/02/16"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/11/07"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -33,20 +33,31 @@ sign-on (SSO) ensuring a user isn’t prompted each time resource access is requ
|
||||
harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using
|
||||
[alternate authentication material](https://attack.mitre.org/techniques/T1550/).
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Retrieve the process executable and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze the process executable using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2021/10/15"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -26,6 +26,9 @@ makes it available for use in various environments, and creates an attractive wa
|
||||
Attackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script,
|
||||
which can circumvent file-based security protections.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration
|
||||
@@ -35,15 +38,22 @@ prevalence, whether they are located in expected locations, and if they are sign
|
||||
- Examine file or network events from the involved PowerShell process for suspicious behavior.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Evaluate whether the user needs to use PowerShell to complete tasks.
|
||||
- Retrieve the script and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze the script using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2021/10/19"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -27,6 +27,9 @@ makes it available for use in various environments, and creates an attractive wa
|
||||
Attackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the
|
||||
disk. This strategy can circumvent string and file-based security protections.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration
|
||||
@@ -36,15 +39,22 @@ prevalence, whether they are located in expected locations, and if they are sign
|
||||
- Examine file or network events from the involved PowerShell process for suspicious behavior.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Evaluate whether the user needs to use PowerShell to complete tasks.
|
||||
- Retrieve the script and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze the script using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2021/10/11"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -29,6 +29,9 @@ More context and technical details can be found in this [research blog](https://
|
||||
This rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system
|
||||
calls to bypass security solutions that rely on hooks.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
@@ -36,15 +39,23 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,
|
||||
and any spawned child processes.
|
||||
- Retrieve the process executable and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze the process executable using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2020/08/19"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/27"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -26,6 +26,9 @@ characteristics is file operations.
|
||||
This rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation
|
||||
of a vulnerability or a malicious process masquerading as a system-critical process.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
@@ -33,15 +36,23 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,
|
||||
and any spawned child processes.
|
||||
- Retrieve the process executable and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze the process executable using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2021/01/21"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/10/11"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -29,6 +29,9 @@ contains the data inside the file. So any data stream that has a name is conside
|
||||
Attackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the
|
||||
creation of alternate data streams on highly targeted file types.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the
|
||||
@@ -40,15 +43,23 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
and any spawned child processes.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
|
||||
- Retrieve the process executable and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze the process executable using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2020/10/15"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -28,6 +28,9 @@ This rule looks for the enumeration of privileged local groups' membership by su
|
||||
legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack,
|
||||
such as mapping targets for credential compromise and other post-exploitation activities.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Identify the process, host and user involved on the event.
|
||||
@@ -36,14 +39,22 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network
|
||||
connections.
|
||||
- Retrieve the process executable and determine if it is malicious:
|
||||
- Check if the file belongs to the operating system or has a valid digital signature.
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze the process executable using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
updated_date = "2022/09/27"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
|
||||
@@ -25,6 +25,9 @@ This rule looks for the creation of the `cmd.exe` process with `svchost.exe` as
|
||||
behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege
|
||||
escalation.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
@@ -32,15 +35,23 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,
|
||||
and any spawned child processes.
|
||||
- Retrieve the process executable and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze the process executable using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2020/10/30"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/10/11"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -23,21 +23,31 @@ note = """## Triage and analysis
|
||||
This rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to
|
||||
hide malware and make the execution less suspicious.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Examine the command line to determine which commands or scripts were executed.
|
||||
- Retrieve the script and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze the script using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2021/10/15"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -26,6 +26,9 @@ makes it available for use in various environments, and creates an attractive wa
|
||||
Attackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk,
|
||||
bypassing file-based security protections. These executables are generally base64 encoded.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration
|
||||
@@ -34,15 +37,22 @@ capabilities, suspicious functions, encoded or compressed data, and other potent
|
||||
prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Evaluate whether the user needs to use PowerShell to complete tasks.
|
||||
- Retrieve the script and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze the script using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2021/10/15"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -33,6 +33,9 @@ malware tooling for its capabilities.
|
||||
Detecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through
|
||||
PowerShell, enabling defenders to discover tools being dropped in the environment.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration
|
||||
@@ -44,15 +47,22 @@ prevalence, whether they are located in expected locations, and if they are sign
|
||||
- Check for additional PowerShell and command-line logs that indicate that imported functions were run.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Evaluate whether the user needs to use PowerShell to complete tasks.
|
||||
- Retrieve the script and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze the script using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -27,6 +27,9 @@ implemented over Server Message Block (SMB), which communicates between hosts us
|
||||
network connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate
|
||||
port scanners, exploits, and tools used to move laterally on the environment.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
@@ -35,15 +38,23 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Contact the account owner and confirm whether they are aware of this activity.
|
||||
- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,
|
||||
and any spawned child processes.
|
||||
- Retrieve the process executable and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze the process executable using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/03"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/10/11"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -23,21 +23,31 @@ note = """## Triage and analysis
|
||||
Adversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These
|
||||
tools can include discovery utilities, credential dumpers, malware, etc.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
|
||||
- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Retrieve the process executable and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze the process executable using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/16"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/10/11"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -29,6 +29,9 @@ session until the session is terminated.
|
||||
This rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the
|
||||
spawn of a child process.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the
|
||||
@@ -42,15 +45,23 @@ and any spawned child processes.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate
|
||||
software installations.
|
||||
- Retrieve the process executable and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze the process executable using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -20,6 +20,9 @@ note = """## Triage and analysis
|
||||
Attackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched
|
||||
whenever Adobe Acrobat Reader is executed.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
@@ -27,15 +30,22 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Identify the user account that performed the action and whether it should perform this kind of action.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
|
||||
- Retrieve the file and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze the file using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2021/03/15"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -25,6 +25,9 @@ persistence. Startup shell folders are often targeted as they are not as prevale
|
||||
behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for
|
||||
an attacker.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
@@ -33,15 +36,22 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Validate the activity is not related to planned patches, updates, network administrator activity or legitimate software
|
||||
installations.
|
||||
- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
|
||||
- Retrieve the file and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze the file using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -31,6 +31,9 @@ More details can be found [here](https://attack.mitre.org/techniques/T1546/008/)
|
||||
This rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features
|
||||
binaries' original file names, which is likely a custom binary deployed by the attacker.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
@@ -39,15 +42,22 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Contact the account and system owners and confirm whether they are aware of this activity.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
|
||||
- Retrieve the file and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze the file using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/18"
|
||||
maturity = "production"
|
||||
updated_date = "2022/10/11"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
|
||||
@@ -26,6 +26,9 @@ in the registry will cause the program referenced to be executed when a user log
|
||||
under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring
|
||||
a range of registry run keys.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
@@ -34,15 +37,23 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate
|
||||
software installations.
|
||||
- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
|
||||
- Retrieve the process executable and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze the process executable using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/18"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/11/07"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -25,6 +25,9 @@ logon, without user interaction, providing an excellent way for attackers to mai
|
||||
|
||||
This rule monitors for commonly abused processes writing to the Startup folder locations.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
@@ -33,15 +36,22 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate
|
||||
software installations.
|
||||
- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
|
||||
- Retrieve the file and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze the file using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/29"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -25,6 +25,9 @@ logon, without user interaction, providing an excellent way for attackers to mai
|
||||
|
||||
This rule looks for unsigned processes writing to the Startup folder locations.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
@@ -33,15 +36,22 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate
|
||||
software installations.
|
||||
- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
|
||||
- Retrieve the file and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze the file using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/18"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -25,6 +25,9 @@ logon, without user interaction, providing an excellent way for attackers to mai
|
||||
|
||||
This rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
@@ -33,15 +36,22 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate
|
||||
software installations.
|
||||
- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
|
||||
- Retrieve the file and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze the file using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2020/08/17"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/10/11"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -28,6 +28,9 @@ Core products. Fixed by Microsoft on Patch Tuesday June 2020.
|
||||
This rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters.
|
||||
Attackers can leverage this technique to elevate privileges or maintain persistence.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
@@ -36,15 +39,23 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
and any spawned child processes.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
|
||||
- Retrieve the process executable and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze the process executable using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2021/11/25"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -27,6 +27,9 @@ This rule detects the default execution of the PoC, which overwrites the `elevat
|
||||
to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked),
|
||||
which is outside the scope of this rule.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
@@ -34,15 +37,22 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Look for additional processes spawned by the process, command lines, and network communications.
|
||||
- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
|
||||
- Retrieve the file and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze the file using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2020/08/14"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/10/11"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -27,6 +27,9 @@ The Print Spooler service has some known vulnerabilities that attackers can abus
|
||||
CVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location
|
||||
`?:\\Windows\\System32\\spool\\PRINTERS\\`, which is an essential step in exploiting these vulnerabilities.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
@@ -35,15 +38,23 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
and any spawned child processes.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Inspect the host for suspicious or abnormal behavior in the alert timeframe.
|
||||
- Retrieve the process executable and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze the process executable using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2020/03/17"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -33,6 +33,9 @@ of another binary or script is added to this registry value, it will be executed
|
||||
UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by
|
||||
`eventvwr.exe` other than `mmc.exe` and `werfault.exe`.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
@@ -41,15 +44,23 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Inspect the host for suspicious or abnormal behavior in the alert timeframe.
|
||||
- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,
|
||||
and any spawned child processes.
|
||||
- Retrieve the process executable and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze the process executable using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2020/10/26"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -30,6 +30,9 @@ For more information about the UAC and how it works, check the [official Microso
|
||||
This rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows
|
||||
directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
@@ -38,15 +41,22 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Inspect the host for suspicious or abnormal behavior in the alert timeframe.
|
||||
- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,
|
||||
and any spawned child processes.
|
||||
- If any of the spawned processes are suspicious, retrieve them and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze any suspicious spawned processes using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2020/10/14"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -30,6 +30,9 @@ For more information about the UAC and how it works, check the [official Microso
|
||||
This rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC)
|
||||
Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
@@ -38,15 +41,22 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Inspect the host for suspicious or abnormal behavior in the alert timeframe.
|
||||
- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,
|
||||
and any spawned child processes.
|
||||
- If any of the spawned processes are suspicious, retrieve them and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze any suspicious spawned processes using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
[metadata]
|
||||
creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
updated_date = "2022/11/04"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -26,6 +26,9 @@ system and then alert on occurrences that don't comply with the baseline.
|
||||
|
||||
This rule uses this information to spot suspicious parent and child processes.
|
||||
|
||||
> **Note**:
|
||||
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
@@ -33,15 +36,23 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,
|
||||
and any spawned child processes.
|
||||
- Retrieve the process executable and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Examine the host for derived artifacts that indicates suspicious activities:
|
||||
- Analyze the process executable using a private sandboxed analysis system.
|
||||
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
||||
filtering by the process' `process.entity_id`.
|
||||
- Examine the DNS cache for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
||||
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
||||
processes in the process tree.
|
||||
- Examine the host services for suspicious or anomalous entries.
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
||||
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
||||
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
||||
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
||||
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -765,3 +765,19 @@ class TestRiskScoreMismatch(BaseRuleTest):
|
||||
err_msg = 'The following rules have mismatches between Severity and Risk Score field values:\n'
|
||||
err_msg += invalid_str
|
||||
self.fail(err_msg)
|
||||
|
||||
|
||||
class TestOsqueryPluginNote(BaseRuleTest):
|
||||
"""Test if a guide containing Osquery Plugin syntax contains the version note."""
|
||||
|
||||
def test_note_guide(self):
|
||||
osquery_note = '> **Note**:\n'
|
||||
osquery_note_pattern = osquery_note + '> This investigation guide uses the [Osquery Markdown Plugin]' \
|
||||
'(https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic ' \
|
||||
'stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.'
|
||||
|
||||
for rule in self.all_rules:
|
||||
if rule.contents.data.note and "!{osquery" in rule.contents.data.note:
|
||||
if osquery_note_pattern not in rule.contents.data.note:
|
||||
self.fail(f'{self.rule_str(rule)} Investigation guides using the Osquery Markdown must contain '
|
||||
f'the following note:\n{osquery_note_pattern}')
|
||||
|
||||
Reference in New Issue
Block a user