From 66dff28498da2695bae9bce559d0177f7bb28e2e Mon Sep 17 00:00:00 2001 From: dstepanic17 <57736958+dstepanic17@users.noreply.github.com> Date: Wed, 14 Apr 2021 07:58:00 -0700 Subject: [PATCH] [Rule Tuning] Public IP Reconnaissance Activity (#1091) * Delete discovery_post_exploitation_public_ip_reconnaissance.toml * Updated ip lookup rule * Modified index field * Update discovery_post_exploitation_external_ip_lookup.toml * Update discovery_post_exploitation_external_ip_lookup.toml * Update rules/windows/discovery_post_exploitation_external_ip_lookup.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> --- ...exploitation_public_ip_reconnaissance.toml | 54 ------------ ..._post_exploitation_external_ip_lookup.toml | 87 +++++++++++++++++++ 2 files changed, 87 insertions(+), 54 deletions(-) delete mode 100644 rules/network/discovery_post_exploitation_public_ip_reconnaissance.toml create mode 100644 rules/windows/discovery_post_exploitation_external_ip_lookup.toml diff --git a/rules/network/discovery_post_exploitation_public_ip_reconnaissance.toml b/rules/network/discovery_post_exploitation_public_ip_reconnaissance.toml deleted file mode 100644 index 04a51e82b..000000000 --- a/rules/network/discovery_post_exploitation_public_ip_reconnaissance.toml +++ /dev/null @@ -1,54 +0,0 @@ -[metadata] -creation_date = "2020/09/04" -maturity = "production" -updated_date = "2021/03/03" - -[rule] -author = ["Elastic"] -description = """ -Identifies domains commonly used by adversaries for post-exploitation IP reconnaissance. It is common for adversaries to -test for Internet access and acquire their public IP address after they have gained access to a system. Among others, -this has been observed in campaigns leveraging the information stealer, Trickbot. -""" -false_positives = [ - """ - If the domains listed in this rule are used as part of an authorized workflow, this rule will be triggered by those - events. Validate that this is expected activity and tune the rule to fit your environment variables. - """, -] -index = ["packetbeat-*"] -language = "lucene" -license = "Elastic License v2" -name = "Public IP Reconnaissance Activity" -note = "This rule takes HTTP redirects and HTTP referrer's into account, however neither HTTP redirect status codes nor HTTP referrer's are visible with TLS traffic which can lead to multiple events per alert." -references = [ - "https://community.jisc.ac.uk/blogs/csirt/article/trickbot-analysis-and-mitigation", - "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", -] -risk_score = 21 -rule_id = "1d72d014-e2ab-4707-b056-9b96abe7b511" -severity = "low" -tags = ["Elastic", "Network", "Threat Detection", "Discovery"] -timestamp_override = "event.ingested" -type = "query" - -query = ''' -event.category:network AND event.type:connection AND server.domain:(ipecho.net OR ipinfo.io OR ifconfig.co OR - ifconfig.me OR icanhazip.com OR myexternalip.com OR api.ipify.org OR bot.whatismyipaddress.com OR ip.anysrc.net OR - wtfismyip.com) AND NOT http.response.status_code:302 AND status:OK AND NOT _exists_:http.request.referrer -''' - - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1016" -name = "System Network Configuration Discovery" -reference = "https://attack.mitre.org/techniques/T1016/" - - -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml b/rules/windows/discovery_post_exploitation_external_ip_lookup.toml new file mode 100644 index 000000000..5bf984b68 --- /dev/null +++ b/rules/windows/discovery_post_exploitation_external_ip_lookup.toml @@ -0,0 +1,87 @@ +[metadata] +creation_date = "2020/09/04" +maturity = "production" +updated_date = "2021/04/08" + +[rule] +author = ["Elastic"] +description = """ +Identifies domains commonly used by adversaries for post-exploitation IP lookups. It is common for adversaries to +test for Internet access and acquire their external IP address after they have gained access to a system. Among others, +this has been observed in campaigns leveraging the information stealer, Trickbot. +""" +false_positives = [ + """ + If the domains listed in this rule are used as part of an authorized workflow, this rule will be triggered by those + events. Validate that this is expected activity and tune the rule to fit your environment variables. + """, +] +from = "now-9m" +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +language = "eql" +license = "Elastic License v2" +name = "External IP Lookup fron Non-Browser Process" +references = [ + "https://community.jisc.ac.uk/blogs/csirt/article/trickbot-analysis-and-mitigation", + "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", +] +risk_score = 21 +rule_id = "1d72d014-e2ab-4707-b056-9b96abe7b511" +severity = "low" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +network where network.protocol == "dns" and + process.name != null and user.id not in ("S-1-5-19", "S-1-5-20") and + event.action == "lookup_requested" and + /* Add new external IP lookup services here */ + dns.question.name : + ( + "*api.ipify.org", + "*freegeoip.app", + "*checkip.amazonaws.com", + "*checkip.dyndns.org", + "*freegeoip.app", + "*icanhazip.com", + "*ifconfig.*", + "*ipecho.net", + "*ipgeoapi.com", + "*ipinfo.io", + "*ip.anysrc.net", + "*myexternalip.com", + "*myipaddress.com", + "*showipaddress.com", + "*whatismyipaddress.com", + "*wtfismyip.com" + ) and + /* Insert noisy false positives here */ + not process.executable : + ( + "?:\\Program Files\\*.exe", + "?:\\Program Files (x86)\\*.exe", + "?:\\Windows\\System32\\WWAHost.exe", + "?:\\Windows\\System32\\smartscreen.exe", + "?:\\Windows\\System32\\MicrosoftEdgeCP.exe", + "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe", + "?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", + "?:\\Users\\*\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe", + "?:\\Users\\*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe", + "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" + ) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/"