security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Shadowcopy via Symlink (#1675)

Browse Source 
* Create credential_access_shadowcopy_via_symlink.toml

* Update credential_access_shadowcopy_via_symlink.toml

* Update and rename credential_access_shadowcopy_via_symlink.toml to credential_access_shadowcopy_via_mklink.toml

* Update credential_access_shadowcopy_via_mklink.toml

* Update rules/windows/credential_access_shadowcopy_via_mklink.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/credential_access_shadowcopy_via_mklink.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/credential_access_shadowcopy_via_mklink.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update credential_access_shadowcopy_via_mklink.toml

* Rename credential_access_shadowcopy_via_mklink.toml to credential_access_symbolic_link_to_shadow_copy_createdcredential_access_symbolic_link_to_shadow_copy_created.toml

* Update credential_access_symbolic_link_to_shadow_copy_createdcredential_access_symbolic_link_to_shadow_copy_created.toml

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 25327134a6)
This commit is contained in:
Austin Songer
2022-01-12 04:52:37 -06:00
committed by github-actions[bot]
parent 9e781091cd
commit 6d784aa605
1 changed files with 46 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/credential_access_symbolic_link_to_shadow_copy_createdcredential_access_symbolic_link_to_shadow_copy_created.toml
+46
View File
@@ -0,0 +1,46 @@
[metadata]
creation_date = "2021/12/25"
maturity = "production"
updated_date = "2021/12/31"
[rule]
author = ["Austin Songer"]
description = """
Identifies the creation of symbolic links to a shadow copy. Symbolic Links can be used to access files in the shadow copy, including sensitive files that may contain credential information.
"""
false_positives = ["Legitimate administrative activity related to shadow copies"]
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Symbolic Link to Shadow Copy Created"
references = [
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink",
"https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf",
]
risk_score = 47
rule_id = "d117cbb4-7d56-41b4-b999-bdf8c25648a0"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where event.type in ("start", "process_started") and
process.pe.original_file_name == "Cmd.Exe" and
process.args : "*mklink*" and
process.args : "*\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1003"
name = "OS Credential Dumping"
reference = "https://attack.mitre.org/techniques/T1003/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"