diff --git a/rules/windows/credential_access_symbolic_link_to_shadow_copy_createdcredential_access_symbolic_link_to_shadow_copy_created.toml b/rules/windows/credential_access_symbolic_link_to_shadow_copy_createdcredential_access_symbolic_link_to_shadow_copy_created.toml new file mode 100644 index 000000000..ce6f4fdfe --- /dev/null +++ b/rules/windows/credential_access_symbolic_link_to_shadow_copy_createdcredential_access_symbolic_link_to_shadow_copy_created.toml @@ -0,0 +1,46 @@ +[metadata] +creation_date = "2021/12/25" +maturity = "production" +updated_date = "2021/12/31" + +[rule] +author = ["Austin Songer"] +description = """ +Identifies the creation of symbolic links to a shadow copy. Symbolic Links can be used to access files in the shadow copy, including sensitive files that may contain credential information. +""" +false_positives = ["Legitimate administrative activity related to shadow copies"] +from = "now-9m" +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +language = "eql" +license = "Elastic License v2" +name = "Symbolic Link to Shadow Copy Created" +references = [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink", + "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", +] +risk_score = 47 +rule_id = "d117cbb4-7d56-41b4-b999-bdf8c25648a0" +severity = "medium" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where event.type in ("start", "process_started") and +process.pe.original_file_name == "Cmd.Exe" and +process.args : "*mklink*" and +process.args : "*\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/"