security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Building Block Rules - Part 1 (#2912)

Browse Source 
* [New Rule] Building Block Rules - Part 1

* Update defense_evasion_powershell_clear_logs_script.toml

* Update discovery_posh_generic.toml

* .

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
This commit is contained in:
Jonhnathan
2023-07-18 20:01:43 -03:00
committed by GitHub
parent 23a133121d
commit 7949b8a03e
6 changed files with 549 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules_building_block/collection_archive_data_zip_imageload.toml
+51
View File
@@ -0,0 +1,51 @@
[metadata]
creation_date = "2023/07/06"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/06"
[rule]
author = ["Elastic"]
description = """
Identifies the image load of a compression DLL. Adversaries will often compress and encrypt data in preparation for
exfiltration.
"""
from = "now-119m"
interval = "60m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Compression DLL Loaded by Unusual Process"
risk_score = 21
rule_id = "d197478e-39f0-4347-a22f-ba654718b148"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Endgame", "Rule Type: BBR"]
timestamp_override = "event.ingested"
type = "eql"
building_block_type = "default"
query = '''
library where
dll.name : ("System.IO.Compression.FileSystem.ni.dll", "System.IO.Compression.ni.dll") and
/* FP Patterns */
not process.executable :
("?:\\Program Files\\*",
"?:\\Program Files (x86)\\*",
"?:\\Windows\\Microsoft.NET\\Framework*\\mscorsvw.exe",
"?:\\Windows\\System32\\sdiagnhost.exe")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1560"
name = "Archive Collected Data"
reference = "https://attack.mitre.org/techniques/T1560/"
[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"
rules_building_block/collection_posh_compression.toml
+99
View File
@@ -0,0 +1,99 @@
[metadata]
creation_date = "2023/07/06"
integration = ["windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/06"
[rule]
author = ["Elastic"]
description = """
Identifies the use of Cmdlets and methods related to archive compression activities. Adversaries will often compress and
encrypt data in preparation for exfiltration.
"""
from = "now-119m"
interval = "60m"
index = ["winlogbeat-*", "logs-windows.*"]
language = "kuery"
license = "Elastic License v2"
name = "PowerShell Script with Archive Compression Capabilities"
note = """## Setup
The 'PowerShell Script Block Logging' logging policy must be enabled.
Steps to implement the logging policy with Advanced Audit Configuration:
```
Computer Configuration >
Administrative Templates >
Windows PowerShell >
Turn on PowerShell Script Block Logging (Enable)
```
Steps to implement the logging policy via registry:
```
reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
```
"""
risk_score = 21
rule_id = "27071ea3-e806-4697-8abc-e22c92aa4293"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Rule Type: BBR"]
timestamp_override = "event.ingested"
type = "query"
building_block_type = "default"
query = '''
event.category:process and host.os.type:windows and
(
powershell.file.script_block_text : (
"IO.Compression.ZipFile" or
"IO.Compression.ZipArchive" or
"ZipFile.CreateFromDirectory" or
"IO.Compression.BrotliStream" or
"IO.Compression.DeflateStream" or
"IO.Compression.GZipStream" or
"IO.Compression.ZLibStream"
) and
powershell.file.script_block_text : (
"CompressionLevel" or
"CompressionMode" or
"ZipArchiveMode"
) or
powershell.file.script_block_text : "Compress-Archive"
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1560"
name = "Archive Collected Data"
reference = "https://attack.mitre.org/techniques/T1560/"
[rule.threat.tactic]
id = "TA0009"
name = "Collection"
reference = "https://attack.mitre.org/tactics/TA0009/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.001"
name = "PowerShell"
reference = "https://attack.mitre.org/techniques/T1059/001/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules_building_block/defense_evasion_masquerading_communication_apps.toml
+1 -1
View File
@@ -21,7 +21,7 @@ name = "Potential Masquerading as Communication Apps"
risk_score = 21
rule_id = "c9482bfa-a553-4226-8ea2-4959bd4f7923"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"]
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR"]
timestamp_override = "event.ingested"
building_block_type = "default"
type = "eql"
rules_building_block/defense_evasion_powershell_clear_logs_script.toml
+95
View File
@@ -0,0 +1,95 @@
[metadata]
creation_date = "2023/07/06"
integration = ["windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/06"
[rule]
author = ["Elastic"]
description = """
Identifies the use of Cmdlets and methods related to Windows event log deletion activities. This is often done by
attackers in an attempt to evade detection or destroy forensic evidence on a system.
"""
from = "now-119m"
interval = "60m"
index = ["winlogbeat-*", "logs-windows.*"]
language = "kuery"
license = "Elastic License v2"
name = "PowerShell Script with Log Clear Capabilities"
note = """## Setup
The 'PowerShell Script Block Logging' logging policy must be enabled.
Steps to implement the logging policy with Advanced Audit Configuration:
```
Computer Configuration >
Administrative Templates >
Windows PowerShell >
Turn on PowerShell Script Block Logging (Enable)
```
Steps to implement the logging policy via registry:
```
reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
```
"""
references = [
"https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear",
"https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog"
]
risk_score = 21
rule_id = "3d3aa8f9-12af-441f-9344-9f31053e316d"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Rule Type: BBR"]
timestamp_override = "event.ingested"
type = "query"
building_block_type = "default"
query = '''
event.category:process and host.os.type:windows and
powershell.file.script_block_text : (
"Clear-EventLog" or
"Remove-EventLog" or
("Eventing.Reader.EventLogSession" and ".ClearLog") or
("Diagnostics.EventLog" and ".Clear")
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1070"
name = "Indicator Removal"
reference = "https://attack.mitre.org/techniques/T1070/"
[[rule.threat.technique.subtechnique]]
id = "T1070.001"
name = "Clear Windows Event Logs"
reference = "https://attack.mitre.org/techniques/T1070/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.001"
name = "PowerShell"
reference = "https://attack.mitre.org/techniques/T1059/001/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules_building_block/discovery_posh_generic.toml
+244
View File
@@ -0,0 +1,244 @@
[metadata]
creation_date = "2023/07/06"
integration = ["windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/06"
[rule]
author = ["Elastic"]
description = """
Identifies the use of Cmdlets and methods related to discovery activities. Attackers can use these to perform various
situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.
"""
from = "now-119m"
interval = "60m"
index = ["winlogbeat-*", "logs-windows.*"]
language = "kuery"
license = "Elastic License v2"
name = "PowerShell Script with Discovery Capabilities"
note = """## Setup
The 'PowerShell Script Block Logging' logging policy must be enabled.
Steps to implement the logging policy with Advanced Audit Configuration:
```
Computer Configuration >
Administrative Templates >
Windows PowerShell >
Turn on PowerShell Script Block Logging (Enable)
```
Steps to implement the logging policy via registry:
```
reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
```
"""
risk_score = 21
rule_id = "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Rule Type: BBR"]
timestamp_override = "event.ingested"
type = "query"
building_block_type = "default"
query = '''
event.category:process and host.os.type:windows and
powershell.file.script_block_text : (
(
("Get-ItemProperty" or "Get-Item") and "-Path"
) or
(
"Get-ADDefaultDomainPasswordPolicy" or
"Get-ADDomain" or "Get-ComputerInfo" or
"Get-Disk" or "Get-DnsClientCache" or
"Get-GPOReport" or "Get-HotFix" or
"Get-LocalUser" or "Get-NetFirewallProfile" or
"get-nettcpconnection" or "Get-NetAdapter" or
"Get-PhysicalDisk" or "Get-Process" or
"Get-PSDrive" or "Get-Service" or
"Get-SmbShare" or "Get-WinEvent"
) or
(
("Get-WmiObject" or "gwmi" or "Get-CimInstance" or
"gcim" or "Management.ManagementObjectSearcher" or
"System.Management.ManagementClass" or
"[WmiClass]" or "[WMI]") and
(
"AntiVirusProduct" or "CIM_BIOSElement" or "CIM_ComputerSystem" or "CIM_Product" or "CIM_DiskDrive" or
"CIM_LogicalDisk" or "CIM_NetworkAdapter" or "CIM_StorageVolume" or "CIM_OperatingSystem" or
"CIM_Process" or "CIM_Service" or "MSFT_DNSClientCache" or "Win32_BIOS" or "Win32_ComputerSystem" or
"Win32_ComputerSystemProduct" or "Win32_DiskDrive" or "win32_environment" or "Win32_Group" or
"Win32_groupuser" or "Win32_IP4RouteTable" or "Win32_logicaldisk" or "Win32_MappedLogicalDisk" or
"Win32_NetworkAdapterConfiguration" or "win32_ntdomain" or "Win32_OperatingSystem" or
"Win32_PnPEntity" or "Win32_Process" or "Win32_Product" or "Win32_quickfixengineering" or
"win32_service" or "Win32_Share" or "Win32_UserAccount"
)
) or
(
("ADSI" and "WinNT") or
("Get-ChildItem" and "sysmondrv.sys") or
("::GetIPGlobalProperties()" and "GetActiveTcpConnections()") or
("ServiceProcess.ServiceController" and "::GetServices") or
("Diagnostics.Process" and "::GetProcesses") or
("DirectoryServices.Protocols.GroupPolicy" and ".GetGPOReport()") or
("DirectoryServices.AccountManagement" and "PrincipalSearcher") or
("NetFwTypeLib.NetFwMgr" and "CurrentProfile") or
("NetworkInformation.NetworkInterface" and "GetAllNetworkInterfaces") or
("Automation.PSDriveInfo") or
("Microsoft.Win32.RegistryHive")
) or
(
"Get-ItemProperty" and
(
"\Control\SecurityProviders\WDigest" or
"\microsoft\windows\currentversion\explorer\runmru" or
"\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" or
"\Microsoft\Windows\CurrentVersion\Uninstall" or
"\Microsoft\Windows\WindowsUpdate" or
"Policies\Microsoft\Windows\Installer" or
"Software\Microsoft\Windows\CurrentVersion\Policies" or
("\Services\SharedAccess\Parameters\FirewallPolicy" and "EnableFirewall") or
("Microsoft\Windows\CurrentVersion\Internet Settings" and "proxyEnable")
)
) or
(
("Directoryservices.Activedirectory" or
"DirectoryServices.AccountManagement") and
(
"Domain Admins" or "DomainControllers" or
"FindAllGlobalCatalogs" or "GetAllTrustRelationships" or
"GetCurrentDomain" or "GetCurrentForest"
) or
"DirectoryServices.DirectorySearcher" and
(
"samAccountType=805306368" or
"samAccountType=805306369" or
"objectCategory=group" or
"objectCategory=groupPolicyContainer" or
"objectCategory=site" or
"objectCategory=subnet" or
"objectClass=trustedDomain"
)
) or
(
"Get-Process" and
(
"mcshield" or "windefend" or "savservice" or
"TMCCSF" or "symantec antivirus" or
"CSFalcon" or "TmPfw" or "kvoop"
)
)
) and not user.id : ("S-1-5-18" or "S-1-5-19" or "S-1-5-20")
and not file.path : (*WindowsPowerShell*Modules*.psd1 or *WindowsPowerShell*Modules*.psm1)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1087"
name = "Account Discovery"
reference = "https://attack.mitre.org/techniques/T1087/"
[[rule.threat.technique.subtechnique]]
id = "T1087.001"
name = "Local Account"
reference = "https://attack.mitre.org/techniques/T1087/001/"
[[rule.threat.technique.subtechnique]]
id = "T1087.002"
name = "Domain Account"
reference = "https://attack.mitre.org/techniques/T1087/002/"
[[rule.threat.technique]]
id = "T1482"
name = "Domain Trust Discovery"
reference = "https://attack.mitre.org/techniques/T1482/"
[[rule.threat.technique]]
id = "T1082"
name = "System Information Discovery"
reference = "https://attack.mitre.org/techniques/T1082/"
[[rule.threat.technique]]
id = "T1083"
name = "File and Directory Discovery"
reference = "https://attack.mitre.org/techniques/T1083/"
[[rule.threat.technique]]
id = "T1615"
name = "Group Policy Discovery"
reference = "https://attack.mitre.org/techniques/T1615/"
[[rule.threat.technique]]
id = "T1135"
name = "Network Share Discovery"
reference = "https://attack.mitre.org/techniques/T1135/"
[[rule.threat.technique]]
id = "T1201"
name = "Password Policy Discovery"
reference = "https://attack.mitre.org/techniques/T1201/"
[[rule.threat.technique]]
id = "T1057"
name = "Process Discovery"
reference = "https://attack.mitre.org/techniques/T1057/"
[[rule.threat.technique]]
id = "T1518"
name = "Software Discovery"
reference = "https://attack.mitre.org/techniques/T1518/"
[[rule.threat.technique.subtechnique]]
id = "T1518.001"
name = "Security Software Discovery"
reference = "https://attack.mitre.org/techniques/T1518/001/"
[[rule.threat.technique]]
id = "T1012"
name = "Query Registry"
reference = "https://attack.mitre.org/techniques/T1012/"
[[rule.threat.technique]]
id = "T1082"
name = "System Information Discovery"
reference = "https://attack.mitre.org/techniques/T1082/"
[[rule.threat.technique]]
id = "T1049"
name = "System Network Connections Discovery"
reference = "https://attack.mitre.org/techniques/T1049/"
[[rule.threat.technique]]
id = "T1007"
name = "System Service Discovery"
reference = "https://attack.mitre.org/techniques/T1007/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.001"
name = "PowerShell"
reference = "https://attack.mitre.org/techniques/T1059/001/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules_building_block/discovery_windows_system_information_discovery.toml
+59
View File
@@ -0,0 +1,59 @@
[metadata]
creation_date = "2023/07/06"
integration = ["windows", "endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/06"
[rule]
author = ["Elastic"]
description = """
Detects the execution of commands used to discover information about the system, which attackers may use after
compromising a system to gain situational awareness.
"""
from = "now-119m"
interval = "60m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Windows System Information Discovery"
risk_score = 21
rule_id = "51176ed2-2d90-49f2-9f3d-17196428b169"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Rule Type: BBR"]
timestamp_override = "event.ingested"
type = "eql"
building_block_type = "default"
query = '''
process where host.os.type == "windows" and event.type == "start" and
(
(
process.name : "cmd.exe" and process.args : "ver*" and not
process.parent.executable : (
"?:\\Users\\*\\AppData\\Local\\Keybase\\upd.exe",
"?:\\Users\\*\\python*.exe"
)
) or
process.name : ("systeminfo.exe", "hostname.exe") or
(process.name : "wmic.exe" and process.args : "os" and process.args : "get")
) and not
process.parent.executable : (
"?:\\Program Files\\*",
"?:\\Program Files (x86)\\*",
"?:\\ProgramData\\*"
) and not user.id : "S-1-5-18"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1082"
name = "System Service Discovery"
reference = "https://attack.mitre.org/techniques/T1082/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"