diff --git a/rules/windows/collection_posh_audio_capture.toml b/rules/windows/collection_posh_audio_capture.toml index 7348078a5..9fcc6f573 100644 --- a/rules/windows/collection_posh_audio_capture.toml +++ b/rules/windows/collection_posh_audio_capture.toml @@ -17,31 +17,42 @@ note = """## Triage and analysis. ### Investigating PowerShell Suspicious Script with Audio Capture Capabilities -PowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks. +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This +makes it available for use in various environments, and creates an attractive way for attackers to execute code. -Attackers can use PowerShell to interact with the Windows API and capture audio from input devices connected to the -computer. +Attackers can use PowerShell to interact with the Windows API with the intent of capturing audio from input devices +connected to the victim's computer. -#### Possible investigation steps: +#### Possible investigation steps - Examine script content that triggered the detection. -- Investigate script execution chain (parent process tree). +- Investigate the script execution chain (parent process tree). - Inspect any file or network events from the suspicious PowerShell host process instance. -- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours. +- Investigate other alerts related to the user/host in the last 48 hours. +- Consider whether the user needs PowerShell to complete its tasks. +- Investigate if the script stores the recorded data locally and determine if anything was recorded. +- Investigate if the script contains exfiltration capabilities and the destination of this exfiltration. +- Assess network data to determine if the host communicated with the exfiltration server. +- Determine if the user credentials were compromised and if the attacker used them to perform unauthorized access to the +linked email account. -### False Positive Analysis +### False positive analysis -- Verify whether the script content is malicious/harmful. +- Regular users should not need scripts to capture audio, which makes false positives unlikely. In the case of +authorized benign true positives (B-TPs), exceptions can be added. -### Related Rules +### Related rules - PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe - Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d -### Response and Remediation +### Response and remediation -- Immediate response steps should be taken to validate, investigate, and potentially contain the activity to prevent -further post-compromise behavior. +- Initiate the incident response process based on the outcome of the triage. +- The response must be prioritized if this alert involves key executives or potentially valuable targets for espionage. +- Quarantine the involved host for forensic investigation, as well as eradication and recovery activities. +- Configure AppLocker or equivalent software to restrict access to PowerShell for regular users. +- Review GPOs to add additional restrictions for PowerShell usage by users. ## Config diff --git a/rules/windows/collection_posh_keylogger.toml b/rules/windows/collection_posh_keylogger.toml index 2f3ad4c6f..8b8044aa5 100644 --- a/rules/windows/collection_posh_keylogger.toml +++ b/rules/windows/collection_posh_keylogger.toml @@ -18,7 +18,8 @@ note = """## Triage and analysis. ### Investigating PowerShell Keylogging Script -PowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks. +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This +makes it available for use in various environments, and creates an attractive way for attackers to execute code. Attackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other valuable information as credit card data and confidential conversations. @@ -26,22 +27,30 @@ valuable information as credit card data and confidential conversations. #### Possible investigation steps: - Examine script content that triggered the detection. -- Investigate script execution chain (parent process tree). +- Investigate the script execution chain (parent process tree). - Inspect any file or network events from the suspicious PowerShell host process instance. -- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours. +- Investigate other alerts related to the user/host in the last 48 hours. +- Consider whether the user needs PowerShell to complete its tasks. +- Investigate if the script stores the captured data locally. +- Investigate if the script contains exfiltration capabilities and the destination of this exfiltration. +- Assess network data to determine if the host communicated with the exfiltration server. -### False Positive Analysis +### False positive analysis -- Verify whether the script content is malicious/harmful. +- Regular users do not have a business justification for using scripting utilities to capture keystrokes, making +false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added. -### Related Rules +### Related rules - PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe -### Response and Remediation +### Response and remediation -- Immediate response steps should be taken to validate, investigate, and potentially contain the activity to prevent -further post-compromise behavior. +- Initiate the incident response process based on the outcome of the triage. +- The response must be prioritized if this alert involves key executives or potentially valuable targets for espionage. +- Quarantine the involved host for forensic investigation, as well as eradication and recovery activities. +- Configure AppLocker or equivalent software to restrict access to PowerShell for regular users. +- Reset the password for the user account and other potentially compromised accounts (email, services, CRMs, etc.). ## Config diff --git a/rules/windows/credential_access_posh_minidump.toml b/rules/windows/credential_access_posh_minidump.toml index 74934ee76..00145cecb 100644 --- a/rules/windows/credential_access_posh_minidump.toml +++ b/rules/windows/credential_access_posh_minidump.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/05" maturity = "production" -updated_date = "2022/02/28" +updated_date = "2022/03/02" [rule] author = ["Elastic"] @@ -19,31 +19,37 @@ note = """## Triage and analysis. ### Investigating PowerShell MiniDump Script -PowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks. +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This +makes it available for use in various environments, and creates an attractive way for attackers to execute code. -Process Memory Dump capabilities can be abused by attackers to extract credentials from LSASS or to obtain other privileged -information stored in the process memory. +Attackers can abuse Process Memory Dump capabilities to extract credentials from LSASS or to obtain other +privileged information stored in the process memory. -#### Possible investigation steps: +#### Possible investigation steps - Examine script content that triggered the detection. -- Investigate script execution chain (parent process tree). +- Investigate the script execution chain (parent process tree). - Inspect any file or network events from the suspicious PowerShell host process instance. -- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours. +- Investigate other alerts related to the user/host in the last 48 hours. +- Consider whether the user needs PowerShell to complete its tasks. +- Check if the imported function was executed and which process it targeted. -### False Positive Analysis +### False positive analysis -- Verify whether the script content is malicious/harmful. +- Regular users do not have a business justification for using scripting utilities to dump process memory, making false +positives unlikely. -### Related Rules +### Related rules - PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe - Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d -### Response and Remediation +### Response and remediation -- Immediate response steps should be taken to validate, investigate, and potentially contain the activity to prevent -further post-compromise behavior. +- Initiate the incident response process based on the outcome of the triage. +- Quarantine the involved host for forensic investigation, as well as eradication and recovery activities. +- Configure AppLocker or equivalent software to restrict access to PowerShell for regular users. +- Reset the password for the user account. ## Config diff --git a/rules/windows/defense_evasion_posh_process_injection.toml b/rules/windows/defense_evasion_posh_process_injection.toml index a217ff2cc..ab6bcf33f 100644 --- a/rules/windows/defense_evasion_posh_process_injection.toml +++ b/rules/windows/defense_evasion_posh_process_injection.toml @@ -19,33 +19,39 @@ note = """## Triage and analysis. ### Investigating Potential Process Injection via PowerShell -PowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks. +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This +makes it available for use in various environments, and creates an attractive way for attackers to execute code. PowerShell also has solid capabilities to make the interaction with the Win32 API in an uncomplicated and reliable way, like the execution of inline C# code, PSReflect, Get-ProcAddress, etc. Red Team tooling and malware developers take advantage of these capabilities to develop stagers and loaders that inject -payloads directly into the memory, without touching the disk. +payloads directly into the memory without touching the disk to circumvent file-based security protections. -#### Possible investigation steps: +#### Possible investigation steps - Examine script content that triggered the detection. -- Investigate script execution chain (parent process tree). +- Investigate the script execution chain (parent process tree). - Inspect any file or network events from the suspicious PowerShell host process instance. -- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours. +- Investigate other alerts related to the user/host in the last 48 hours. +- Consider whether the user needs PowerShell to complete its tasks. +- Check if the imported function was executed and which process it targeted. +- Check if the injected code can be retrieved (hardcoded in the script or on command line logs). -### False Positive Analysis +### False positive analysis -- Verify whether the script content is malicious/harmful. +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. -### Related Rules +### Related rules - PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe -### Response and Remediation +### Response and remediation -- Immediate response steps should be taken to validate, investigate, and potentially contain the activity to prevent -further post-compromise behavior. +- Initiate the incident response process based on the outcome of the triage. +- Quarantine the involved host for forensic investigation, as well as eradication and recovery activities. +- Configure AppLocker or equivalent software to restrict access to PowerShell for regular users. +- Reset the password for the user account. ## Config diff --git a/rules/windows/discovery_posh_suspicious_api_functions.toml b/rules/windows/discovery_posh_suspicious_api_functions.toml index eabfc07ce..89089c77c 100644 --- a/rules/windows/discovery_posh_suspicious_api_functions.toml +++ b/rules/windows/discovery_posh_suspicious_api_functions.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/13" maturity = "production" -updated_date = "2022/02/28" +updated_date = "2022/03/02" [rule] author = ["Elastic"] @@ -20,30 +20,36 @@ note = """## Triage and analysis. ### Investigating PowerShell Suspicious Discovery Related Windows API Functions -PowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks. +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This +makes it available for use in various environments, and creates an attractive way for attackers to execute code. -Attackers can use PowerShell to interact with the Win32 API to bypass file based antivirus detections, using libraries +Attackers can use PowerShell to interact with the Win32 API to bypass command line based detections, using libraries like PSReflect or Get-ProcAddress Cmdlet. -#### Possible investigation steps: +#### Possible investigation steps - Examine script content that triggered the detection. -- Investigate script execution chain (parent process tree). +- Investigate the script execution chain (parent process tree). - Inspect any file or network events from the suspicious PowerShell host process instance. -- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours. +- Investigate other alerts related to the user/host in the last 48 hours. +- Consider whether the user needs PowerShell to complete its tasks. +- Check if the imported function was executed. -### False Positive Analysis +### False positive analysis -- Verify whether the script content is malicious/harmful. +- Discovery activities themselves are not inherently malicious if occurring in isolation, as long as the script does not +contain other capabilities, and there are no other alerts related to the user or host; such alerts can be dismissed. +However, analysts should keep in mind that this is not a common way of getting information, making it suspicious. -### Related Rules +### Related rules - PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe -### Response and Remediation +### Response and remediation -- Immediate response steps should be taken to validate, investigate, and potentially contain the activity to prevent -further post-compromise behavior. +- Initiate the incident response process based on the outcome of the triage. +- Quarantine the involved host to prevent further post-compromise behavior. +- Configure AppLocker or equivalent software to restrict access to PowerShell for regular users. ## Config diff --git a/rules/windows/execution_posh_portable_executable.toml b/rules/windows/execution_posh_portable_executable.toml index 2e72fec7f..24ec18b08 100644 --- a/rules/windows/execution_posh_portable_executable.toml +++ b/rules/windows/execution_posh_portable_executable.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/15" maturity = "production" -updated_date = "2022/02/28" +updated_date = "2022/03/02" [rule] author = ["Elastic"] @@ -18,32 +18,36 @@ note = """## Triage and analysis. ### Investigating Suspicious Portable Executable Encoded in Powershell Script -PowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks. +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This +makes it available for use in various environments, and creates an attractive way for attackers to execute code. Attackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk, -bypassing antivirus software. These executables are generally base64 encoded. +bypassing file-based security protections. These executables are generally base64 encoded. -#### Possible investigation steps: +#### Possible investigation steps - Examine script content that triggered the detection. -- Investigate script execution chain (parent process tree). +- Investigate the script execution chain (parent process tree). - Inspect any file or network events from the suspicious PowerShell host process instance. -- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours. +- Investigate other alerts related to the user/host in the last 48 hours. +- Consider whether the user needs PowerShell to complete its tasks. +- Retrieve the script and execute it in a sandbox or controlled environment. -### False Positive Analysis +### False positive analysis -- Verify whether the script content is malicious/harmful. +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. -### Related Rules +### Related rules - PowerShell Reflection Assembly Load - e26f042e-c590-4e82-8e05-41e81bd822ad - PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a - PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe -### Response and Remediation +### Response and remediation -- Immediate response steps should be taken to validate, investigate, and potentially contain the activity to prevent -further post-compromise behavior. +- Initiate the incident response process based on the outcome of the triage. +- Quarantine the involved host to prevent further post-compromise behavior. +- Configure AppLocker or equivalent software to restrict access to PowerShell for regular users. ## Config diff --git a/rules/windows/execution_posh_psreflect.toml b/rules/windows/execution_posh_psreflect.toml index a1831ea2d..4fb93c91e 100644 --- a/rules/windows/execution_posh_psreflect.toml +++ b/rules/windows/execution_posh_psreflect.toml @@ -16,9 +16,11 @@ language = "kuery" license = "Elastic License v2" name = "PowerShell PSReflect Script" note = """## Triage and analysis + ### Investigating PowerShell PSReflect Script -PowerShell is one of the main tools in the belt of system administrators for automation, report routines, and other tasks. +PowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This +makes it available for use in various environments, and creates an attractive way for attackers to execute code. PSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to create enums and structs easily—all without touching the disk. @@ -27,18 +29,22 @@ Although this is an interesting project for every developer and admin out there, malware tooling for its capabilities. Detecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through -PowerShell, enabling the defender to discover tools being dropped in the environment. +PowerShell, enabling defenders to discover tools being dropped in the environment. -#### Possible investigation steps: -- Check for additional PowerShell logs that indicate that the script/command was run. -- Gather the script content that may be split into multiple script blocks, and identify its capabilities. -- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours. -- Look for additional alerts involving the host and the user. +#### Possible investigation steps -### False Positive Analysis -- Verify whether the script content is malicious/harmful. +- Check for additional PowerShell and command-line logs that indicate that imported functions were run. +- Gather the script content that may be split into multiple script blocks (the field `powershell.file.script_block_id` +can be used for filtering), and identify its capabilities. +- Investigate other alerts related to the user/host in the last 48 hours. +- Consider whether the user needs PowerShell to complete its tasks. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Related rules -### Related Rules - PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e - PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889 - PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43 @@ -47,21 +53,27 @@ PowerShell, enabling the defender to discover tools being dropped in the environ - PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a - PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70 -### Response and Remediation -- Immediate response steps should be taken to validate, investigate, and potentially contain the activity to prevent -further post-compromise behavior. +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Quarantine the involved host to prevent further post-compromise behavior. +- Configure AppLocker or equivalent software to restrict access to PowerShell for regular users. ## Config + The 'PowerShell Script Block Logging' logging policy must be configured (Enable). Steps to implement the logging policy with with Advanced Audit Configuration: + ``` Computer Configuration > Administrative Templates > Windows PowerShell > Turn on PowerShell Script Block Logging (Enable) ``` + Steps to implement the logging policy via registry: + ``` reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` diff --git a/rules/windows/privilege_escalation_group_policy_iniscript.toml b/rules/windows/privilege_escalation_group_policy_iniscript.toml index c212a508d..4247efd25 100644 --- a/rules/windows/privilege_escalation_group_policy_iniscript.toml +++ b/rules/windows/privilege_escalation_group_policy_iniscript.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/11/08" maturity = "production" -updated_date = "2022/02/28" +updated_date = "2022/03/02" [rule] author = ["Elastic"] @@ -17,31 +17,40 @@ note = """## Triage and analysis ### Investigating Scheduled Task Execution at Scale via GPO -Group Policy Objects can be used by attackers as a mechanism for an attacker to instruct an arbitrarily large group of clients to -execute specified commands at startup, logon, shutdown, and logoff. This is done by creating/modifying the `scripts.ini` or -`psscripts.ini` files. The scripts are stored in the following path: `\\Machine\\Scripts\\`, `\\User\\Scripts\\` +Group Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of +clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the +`scripts.ini` or `psscripts.ini` files. The scripts are stored in the following path: `\\Machine\\Scripts\\`, +`\\User\\Scripts\\` -#### Possible investigation steps: -- This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity is legitimate -and the administrator is authorized to perform this operation. +#### Possible investigation steps + +- This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the +activity is legitimate and the administrator is authorized to perform this operation. - Retrieve the contents of the script file, and check for any potentially malicious commands and binaries. -- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours. +- Investigate other alerts related to the user/host in the last 48 hours. +- Scope which objects have been affected. -### False Positive Analysis -- Verify if the execution is allowed and done under change management, and legitimate. +### False positive analysis + +- Verify if the execution is legitimately authorized and executed under a change management process. + +### Related rules -### Related Rules - Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf - Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e -### Response and Remediation -- Immediate response steps should be taken to validate, investigate, and potentially contain the activity to prevent -further post-compromise behavior. +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- The investigation and containment must be performed in every computer controlled by the GPO, where necessary. +- Remove the script from the GPO. +- Check if other GPOs have suspicious scripts attached. ## Config The 'Audit Detailed File Share' audit policy must be configured (Success Failure). Steps to implement the logging policy with with Advanced Audit Configuration: + ``` Computer Configuration > Policies > @@ -55,6 +64,7 @@ Audit Detailed File Share (Success,Failure) The 'Audit Directory Service Changes' audit policy must be configured (Success Failure). Steps to implement the logging policy with with Advanced Audit Configuration: + ``` Computer Configuration > Policies > diff --git a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml index 1e320ad35..ebd541283 100644 --- a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml +++ b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/11/08" maturity = "production" -updated_date = "2022/02/28" +updated_date = "2022/03/02" [rule] author = ["Elastic"] @@ -17,35 +17,41 @@ note = """## Triage and analysis ### Investigating Group Policy Abuse for Privilege Addition -Group Policy Objects can be used to add rights and/or modify Group Membership on GPOs by changing the contents of an INF +Group Policy Objects (GPOs) can be used to add rights and/or modify Group Membership on GPOs by changing the contents of an INF file named GptTmpl.inf, which is responsible for storing every setting under the Security Settings container in the GPO. This file is unique for each GPO, and only exists if the GPO contains security settings. -Example Path: "\\\\DC.com\\SysVol\\DC.com\\Policies\\{21B9B880-B2FB-4836-9C2D-2013E0D832E9}\\Machine\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf" +Example Path: "\\\\DC.com\\SysVol\\DC.com\\Policies\\{PolicyGUID}\\Machine\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf" -#### Possible investigation steps: -- This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity -is legitimate and the administrator is authorized to perform this operation. +#### Possible investigation steps + +- This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the +activity is legitimate and the administrator is authorized to perform this operation. - Retrieve the contents of the `GptTmpl.inf` file, and under the `Privilege Rights` section, look for potentially dangerous high privileges, for example: SeTakeOwnershipPrivilege, SeEnableDelegationPrivilege, etc. -- Inspect the user SIDs associated with these privileges. +- Inspect the user security identifiers (SIDs) associated with these privileges, and if they should have these privileges. + +### False positive analysis -### False Positive Analysis -- Verify if the User SIDs should have these privileges. - Inspect whether the user that has done the modifications should be allowed to. The user name can be found in the `winlog.event_data.SubjectUserName` field. -### Related Rules -- Scheduled Task Execution at Scale via GPO -- Startup/Logon Script added to Group Policy Object +### Related rules -### Response and Remediation -- Immediate response steps should be taken to validate, investigate, and potentially contain the activity to prevent -further post-compromise behavior. +- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e +- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- The investigation and containment must be performed in every computer controlled by the GPO, where necessary. +- Remove the script from the GPO. +- Check if other GPOs have suspicious scripts attached. ## Config The 'Audit Directory Service Changes' audit policy must be configured (Success Failure). Steps to implement the logging policy with with Advanced Audit Configuration: + ``` Computer Configuration > Policies > diff --git a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml index 68b386811..3ca9cd21b 100644 --- a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml +++ b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/11/08" maturity = "production" -updated_date = "2022/02/28" +updated_date = "2022/03/02" [rule] author = ["Elastic"] @@ -16,32 +16,40 @@ note = """## Triage and analysis ### Investigating Scheduled Task Execution at Scale via GPO -Group Policy Objects can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a -given GPO. This is done by changing the contents of the `\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` +Group Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled +by a given GPO. This is done by changing the contents of the `\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file. -#### Possible investigation steps: +#### Possible investigation steps + - This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation. - Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands and binaries. -- If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours. +- Investigate other alerts related to the user/host in the last 48 hours. +- Scope which objects have been affected. + +### False positive analysis -### False Positive Analysis - Verify if the execution is allowed and done under change management, and if the execution is legitimate. -### Related Rules -- Group Policy Abuse for Privilege Addition -- Startup/Logon Script added to Group Policy Object +### Related rules -### Response and Remediation -- Immediate response steps should be taken to validate, investigate, and potentially contain the activity to prevent -further post-compromise behavior. +- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf +- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046 + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- The investigation and containment must be performed in every computer controlled by the GPO, where necessary. +- Remove the script from the GPO. +- Check if other GPOs have suspicious scheduled tasks attached. ## Config The 'Audit Detailed File Share' audit policy must be configured (Success Failure). Steps to implement the logging policy with with Advanced Audit Configuration: + ``` Computer Configuration > Policies > @@ -55,6 +63,7 @@ Audit Detailed File Share (Success,Failure) The 'Audit Directory Service Changes' audit policy must be configured (Success Failure). Steps to implement the logging policy with with Advanced Audit Configuration: + ``` Computer Configuration > Policies >