From 88f752bf8bceacd5c8a9307c3ce80353af782c30 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Mon, 27 Nov 2023 18:37:15 +0000 Subject: [PATCH] [New] First Time Seen NewCredentials Lgon Process (#3276) * Create privilege_escalation_newcreds_logon_rare_process.toml * Update privilege_escalation_newcreds_logon_rare_process.toml * Update privilege_escalation_newcreds_logon_rare_process.toml * Update privilege_escalation_newcreds_logon_rare_process.toml * Update rules/windows/privilege_escalation_newcreds_logon_rare_process.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --- ...scalation_newcreds_logon_rare_process.toml | 56 +++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 rules/windows/privilege_escalation_newcreds_logon_rare_process.toml diff --git a/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml b/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml new file mode 100644 index 000000000..7db1faf21 --- /dev/null +++ b/rules/windows/privilege_escalation_newcreds_logon_rare_process.toml @@ -0,0 +1,56 @@ +[metadata] +creation_date = "2023/11/15" +integration = ["system", "windows"] +maturity = "production" +min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" +min_stack_version = "8.4.0" +updated_date = "2023/11/15" + +[rule] +author = ["Elastic"] +description = """ +Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access token +forging capability that are often abused to bypass access control restrictions. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +language = "kuery" +license = "Elastic License v2" +name = "First Time Seen NewCredentials Logon Process" +risk_score = 47 +rule_id = "e468f3f6-7c4c-45bb-846a-053738b3fe5d" +severity = "medium" +references = ["https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-manipulation"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.category:"authentication" and host.os.type:"windows" and winlog.logon.type:"NewCredentials" and winlog.event_data.LogonProcessName:(Advapi* or "Advapi ") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1134" +name = "Access Token Manipulation" +reference = "https://attack.mitre.org/techniques/T1134/" +[[rule.threat.technique.subtechnique]] +id = "T1134.001" +name = "Token Impersonation/Theft" +reference = "https://attack.mitre.org/techniques/T1134/001/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + + +[rule.new_terms] +field = "new_terms_fields" +value = ["process.executable"] +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d"