From 7c4ca0a4a303ba7e4d2b92361330ed46ee071d0b Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Thu, 17 Aug 2023 13:00:50 -0300
Subject: [PATCH] [New Rule] Building Block Rules - Part 2 (#2923)

* [New Rule] Building Block Rules - Part 2

* .

* Update rules_building_block/defense_evasion_dll_hijack.toml

* Update rules_building_block/defense_evasion_file_permission_modification.toml

* Update rules_building_block/discovery_posh_password_policy.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 9144dc04480731712fda4dad2f80293896d6720c)
---
 detection_rules/etc/non-ecs-schema.json       |  1 +
 .../discovery_system_service_discovery.toml   |  5 +-
 .../defense_evasion_dll_hijack.toml           | 65 +++++++++++++
 ..._evasion_file_permission_modification.toml | 56 +++++++++++
 .../discovery_internet_capabilities.toml      | 51 ++++++++++
 .../discovery_posh_password_policy.toml       | 94 +++++++++++++++++++
 .../lateral_movement_posh_winrm_activity.toml | 76 +++++++++++++++
 7 files changed, 346 insertions(+), 2 deletions(-)
 create mode 100644 rules_building_block/defense_evasion_dll_hijack.toml
 create mode 100644 rules_building_block/defense_evasion_file_permission_modification.toml
 create mode 100644 rules_building_block/discovery_internet_capabilities.toml
 create mode 100644 rules_building_block/discovery_posh_password_policy.toml
 create mode 100644 rules_building_block/lateral_movement_posh_winrm_activity.toml

diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json
index 0302b5fa4..77d17936c 100644
--- a/detection_rules/etc/non-ecs-schema.json
+++ b/detection_rules/etc/non-ecs-schema.json
@@ -71,6 +71,7 @@
     "file.Ext.entropy": "long",
     "file.size": "long",
     "file.Ext.original.name": "keyword",
+    "dll.Ext.device.product_id": "keyword",
     "dll.Ext.relative_file_creation_time": "double",
     "dll.Ext.relative_file_name_modify_time": "double",
     "process.Ext.relative_file_name_modify_time": "double",
diff --git a/rules/windows/discovery_system_service_discovery.toml b/rules/windows/discovery_system_service_discovery.toml
index 7d949a628..69297a080 100644
--- a/rules/windows/discovery_system_service_discovery.toml
+++ b/rules/windows/discovery_system_service_discovery.toml
@@ -4,7 +4,7 @@ integration = ["windows", "endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/07/12"
 
 [rule]
 author = ["Elastic"]
@@ -29,7 +29,8 @@ process where host.os.type == "windows" and event.type == "start" and
   (
   ((process.name: "net.exe" or process.pe.original_file_name == "net.exe" or (process.name : "net1.exe" and not process.parent.name : "net.exe")) and process.args : ("start", "use") and process.args_count == 2) or
   ((process.name: "sc.exe" or process.pe.original_file_name == "sc.exe") and process.args: ("query", "q*")) or
-  ((process.name: "tasklist.exe" or process.pe.original_file_name == "tasklist.exe") and process.args: "/svc")
+  ((process.name: "tasklist.exe" or process.pe.original_file_name == "tasklist.exe") and process.args: "/svc") or
+  (process.name : "psservice.exe" or process.pe.original_file_name == "psservice.exe")
   ) and not user.id : "S-1-5-18"
 '''
 
diff --git a/rules_building_block/defense_evasion_dll_hijack.toml b/rules_building_block/defense_evasion_dll_hijack.toml
new file mode 100644
index 000000000..775d0428e
--- /dev/null
+++ b/rules_building_block/defense_evasion_dll_hijack.toml
@@ -0,0 +1,65 @@
+[metadata]
+creation_date = "2023/07/12"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/07/12"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies digitally signed (trusted) processes loading unsigned DLLs. Attackers may plant their payloads into the
+application folder and invoke the legitimate application to execute the payload, masking actions they perform under a
+legitimate, trusted, and potentially elevated system or software process.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Unsigned DLL Loaded by a Trusted Process"
+risk_score = 21
+rule_id = "c20cd758-07b1-46a1-b03f-fa66158258b8"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+building_block_type = "default"
+type = "eql"
+
+query = '''
+library where host.os.type == "windows" and
+   (dll.Ext.relative_file_creation_time <= 500 or
+    dll.Ext.relative_file_name_modify_time <= 500 or
+    dll.Ext.device.product_id : ("Virtual DVD-ROM", "Virtual Disk")) and dll.hash.sha256 != null and 
+    process.code_signature.status :"trusted" and not dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*") and 
+    /* DLL loaded from the process.executable current directory */ 
+    endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))
+    and not user.id : "S-1-5-18"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1574"
+name = "Hijack Execution Flow"
+reference = "https://attack.mitre.org/techniques/T1574/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1574.001"
+name = "DLL Search Order Hijacking"
+reference = "https://attack.mitre.org/techniques/T1574/001/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1574.002"
+name = "DLL Side-Loading"
+reference = "https://attack.mitre.org/techniques/T1574/002/"
+
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
diff --git a/rules_building_block/defense_evasion_file_permission_modification.toml b/rules_building_block/defense_evasion_file_permission_modification.toml
new file mode 100644
index 000000000..a31055733
--- /dev/null
+++ b/rules_building_block/defense_evasion_file_permission_modification.toml
@@ -0,0 +1,56 @@
+[metadata]
+creation_date = "2023/07/12"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/07/12"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the change of permissions/ownership of files/folders through built-in Windows utilities. Threat actors may
+require permission modification of files/folders to change, modify or delete them.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "File and Directory Permissions Modification"
+risk_score = 21
+rule_id = "bc9e4f5a-e263-4213-a2ac-1edf9b417ada"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+building_block_type = "default"
+type = "eql"
+
+query = '''
+process where event.type == "start" and host.os.type == "windows" and
+(
+  ((process.name: "icacls.exe" or process.pe.original_file_name == "iCACLS.EXE") and process.args: ("*:F", "/reset", "/setowner", "*grant*")) or
+  ((process.name: "cacls.exe" or process.pe.original_file_name == "CACLS.EXE") and process.args: ("/g", "*:f")) or
+  ((process.name: "takeown.exe" or process.pe.original_file_name == "takeown.exe") and process.args: ("/F")) or
+  ((process.name: "attrib.exe" or process.pe.original_file_name== "ATTRIB.EXE") and process.args: "-r")
+) and not user.id : "S-1-5-18"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1222"
+name = "File and Directory Permissions Modification"
+reference = "https://attack.mitre.org/techniques/T1222/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1222.001"
+name = "Windows File and Directory Permissions Modification"
+reference = "https://attack.mitre.org/techniques/T1222/001/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
diff --git a/rules_building_block/discovery_internet_capabilities.toml b/rules_building_block/discovery_internet_capabilities.toml
new file mode 100644
index 000000000..187003d3e
--- /dev/null
+++ b/rules_building_block/discovery_internet_capabilities.toml
@@ -0,0 +1,51 @@
+[metadata]
+creation_date = "2023/07/12"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/07/12"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the use of built-in tools attackers can use to check for Internet connectivity on compromised systems. These
+results may be used to determine communication capabilities with C2 servers, or to identify routes, redirectors, and
+proxy servers.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Discovery of Internet Capabilities via Built-in Tools"
+risk_score = 21
+rule_id = "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+type = "eql"
+building_block_type = "default"
+
+query = '''
+process where host.os.type == "windows" and event.type == "start" and
+  process.name : ("ping.exe", "tracert.exe", "pathping.exe") and
+  not process.args : ("127.0.0.1", "::1", "0.0.0.0", "192.168.*")
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1016"
+name = "System Network Configuration Discovery"
+reference = "https://attack.mitre.org/techniques/T1016/"
+[[rule.threat.technique.subtechnique]]
+id = "T1016.001"
+name = "Internet Connection Discovery"
+reference = "https://attack.mitre.org/techniques/T1016/001/"
+
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
diff --git a/rules_building_block/discovery_posh_password_policy.toml b/rules_building_block/discovery_posh_password_policy.toml
new file mode 100644
index 000000000..e71108428
--- /dev/null
+++ b/rules_building_block/discovery_posh_password_policy.toml
@@ -0,0 +1,94 @@
+[metadata]
+creation_date = "2023/07/12"
+integration = ["windows"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/07/12"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM
+to perform lateral movement using built-in tools.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["winlogbeat-*", "logs-windows.*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "PowerShell Script with Password Policy Discovery Capabilities"
+note = """## Setup
+
+The 'PowerShell Script Block Logging' logging policy must be enabled.
+Steps to implement the logging policy with Advanced Audit Configuration:
+
+```
+Computer Configuration >
+Administrative Templates >
+Windows PowerShell >
+Turn on PowerShell Script Block Logging (Enable)
+```
+
+Steps to implement the logging policy via registry:
+
+```
+reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
+```
+"""
+risk_score = 21
+rule_id = "fe25d5bc-01fa-494a-95ff-535c29cc4c96"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: PowerShell Logs", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+type = "query"
+building_block_type = "default"
+
+query = '''
+event.category: "process" and host.os.type:windows and
+(
+  powershell.file.script_block_text: (
+    "Get-ADDefaultDomainPasswordPolicy" or
+    "Get-ADFineGrainedPasswordPolicy" or
+    "Get-ADUserResultantPasswordPolicy" or
+    "Get-DomainPolicy" or
+    "Get-GPPPassword" or
+    "Get-PassPol"
+  )
+  or
+  powershell.file.script_block_text: (
+    ("defaultNamingContext" or "ActiveDirectory.DirectoryContext" or "ActiveDirectory.DirectorySearcher") and
+    (
+      (
+        ".MinLengthPassword" or
+        ".MinPasswordAge" or
+        ".MaxPasswordAge"
+      ) or
+      (
+        "minPwdAge" or
+        "maxPwdAge" or
+        "minPwdLength"
+      ) or
+      (
+        "msDS-PasswordSettings"
+      )
+    )
+  )
+) and not powershell.file.script_block_text : (
+    "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators"
+  )
+  and not user.id : "S-1-5-18"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1201"
+name = "Password Policy Discovery"
+reference = "https://attack.mitre.org/techniques/T1201/"
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
diff --git a/rules_building_block/lateral_movement_posh_winrm_activity.toml b/rules_building_block/lateral_movement_posh_winrm_activity.toml
new file mode 100644
index 000000000..3aff00994
--- /dev/null
+++ b/rules_building_block/lateral_movement_posh_winrm_activity.toml
@@ -0,0 +1,76 @@
+[metadata]
+creation_date = "2023/07/12"
+integration = ["windows"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/07/12"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM
+to perform lateral movement using built-in tools.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["winlogbeat-*", "logs-windows.*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "PowerShell Script with Remote Execution Capabilities via WinRM"
+note = """## Setup
+
+The 'PowerShell Script Block Logging' logging policy must be enabled.
+Steps to implement the logging policy with Advanced Audit Configuration:
+
+```
+Computer Configuration >
+Administrative Templates >
+Windows PowerShell >
+Turn on PowerShell Script Block Logging (Enable)
+```
+
+Steps to implement the logging policy via registry:
+
+```
+reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
+```
+"""
+references = [
+  "https://attack.mitre.org/techniques/T1021/006/",
+  "https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/LateralMovement/PowerShellRemoting.cs",
+  "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/modules/powershell/lateral_movement/invoke_psremoting.py"
+]
+risk_score = 21
+rule_id = "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: PowerShell Logs", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+type = "query"
+building_block_type = "default"
+
+query = '''
+event.category:process and host.os.type:windows and
+  powershell.file.script_block_text : (
+    ("Invoke-WmiMethod" or "Invoke-Command" or "Enter-PSSession") and "ComputerName"
+  )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1021"
+name = "Remote Services"
+reference = "https://attack.mitre.org/techniques/T1021/"
+[[rule.threat.technique.subtechnique]]
+id = "T1021.006"
+name = "Windows Remote Management"
+reference = "https://attack.mitre.org/techniques/T1021/006/"
+
+
+
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"