From a1bdf2b5647b4e53b2adbf7b8a9ca1f95d602045 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 19 May 2022 13:23:35 -0300 Subject: [PATCH] [Security Content] 8.3 - Add Investigation Guides (#1937) * 8.3 - Add Investigation Guides * Apply suggestions * Apply the refactor * Apply suggestions from Samir * . Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> --- rules/windows/discovery_admin_recon.toml | 47 +++++++++- .../discovery_command_system_account.toml | 92 +++++++++++++++++++ .../windows/discovery_file_dir_discovery.toml | 40 +++++++- .../discovery_net_command_system_account.toml | 51 ---------- rules/windows/discovery_net_view.toml | 43 ++++++++- .../windows/discovery_peripheral_device.toml | 47 +++++++++- ..._post_exploitation_external_ip_lookup.toml | 54 ++++++++++- ...very_privileged_localgroup_membership.toml | 71 +++++++++++++- ...ote_system_discovery_commands_windows.toml | 49 +++++++++- .../discovery_security_software_wmic.toml | 43 ++++++++- .../discovery_whoami_command_activity.toml | 46 +++++++++- 11 files changed, 511 insertions(+), 72 deletions(-) create mode 100644 rules/windows/discovery_command_system_account.toml delete mode 100644 rules/windows/discovery_net_command_system_account.toml diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index 69ba69687..e55855c6d 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/04/21" [rule] author = ["Elastic"] @@ -14,7 +14,50 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Enumeration of Administrator Accounts" -note = """## Config +note = """## Triage and analysis + +### Investigating Enumeration of Administrator Accounts + +After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. +This can happen by running commands to enumerate network resources, users, connections, files, and installed security +software. + +This rule looks for the execution of the `net` and `wmic` utilities to enumerate administrator-related users or groups +in the domain and local machine scope. Attackers can use this information to plan their next steps of the attack, such +as mapping targets for credential compromise and other post-exploitation activities. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and +network connections. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify +suspicious activity related to the user or host, such alerts can be dismissed. + +### Related rules + +- AdFind Command Activity - eda499b8-a073-4e35-9733-22ec71f57f3a + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Config If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/discovery_command_system_account.toml b/rules/windows/discovery_command_system_account.toml new file mode 100644 index 000000000..512d34fa7 --- /dev/null +++ b/rules/windows/discovery_command_system_account.toml @@ -0,0 +1,92 @@ +[metadata] +creation_date = "2020/03/18" +maturity = "production" +min_stack_comments = "EQL optional fields syntax was not introduced until 7.16" +min_stack_version = "7.16.0" +updated_date = "2022/04/21" + +[rule] +author = ["Elastic"] +description = """ +Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after +an adversary has achieved privilege escalation. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +language = "eql" +license = "Elastic License v2" +name = "Account Discovery Command via SYSTEM Account" +note = """## Triage and analysis + +### Investigating Account Discovery Command via SYSTEM Account + +After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. +This can happen by running commands to enumerate network resources, users, connections, files, and installed security +software. + +This rule looks for the execution of account discovery utilities using the SYSTEM account, which is commonly observed +after attackers successfully perform privilege escalation or exploit web applications. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. + - If the process tree includes a web-application server process such as w3wp, httpd.exe, nginx.exe and alike, + investigate any suspicious file creation or modification in the last 48 hours to assess the presence of any potential + webshell backdoor. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Determine how the SYSTEM account is being used. For example, users with administrator privileges can spawn a system +shell using Windows services, scheduled tasks or other third party utilities. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify +suspicious activity related to the user or host, such alerts can be dismissed. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). +- Use the data collected through the analysis to investigate other machines affected in the environment. + +## Config + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. +""" +risk_score = 21 +rule_id = "2856446a-34e6-435b-9fb5-f8f040bfa7ed" +severity = "low" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where event.type in ("start", "process_started") and + (?process.Ext.token.integrity_level_name : "System" or + ?winlog.event_data.IntegrityLevel : "System") and + (process.name : "whoami.exe" or + (process.name : "net1.exe" and not process.parent.name : "net.exe")) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1033" +name = "System Owner/User Discovery" +reference = "https://attack.mitre.org/techniques/T1033/" + + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/windows/discovery_file_dir_discovery.toml b/rules/windows/discovery_file_dir_discovery.toml index b01c7df89..e66f9a343 100644 --- a/rules/windows/discovery_file_dir_discovery.toml +++ b/rules/windows/discovery_file_dir_discovery.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/04/21" [rule] author = ["Elastic"] @@ -21,6 +21,44 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "File and Directory Discovery" +note = """## Triage and analysis + +### Investigating File and Directory Discovery + +After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. +This can happen by running commands to enumerate network resources, users, connections, files, and installed security +software. + +This rule looks for three directory-listing commands in one minute, which can indicate attempts to locate valuable files, +specific file types or installed programs. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and +network connections. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify +suspicious activity related to the user or host, such alerts can be dismissed. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). +""" risk_score = 21 rule_id = "7b08314d-47a0-4b71-ae4e-16544176924f" severity = "low" diff --git a/rules/windows/discovery_net_command_system_account.toml b/rules/windows/discovery_net_command_system_account.toml deleted file mode 100644 index 4d2aad40a..000000000 --- a/rules/windows/discovery_net_command_system_account.toml +++ /dev/null @@ -1,51 +0,0 @@ -[metadata] -creation_date = "2020/03/18" -maturity = "production" -min_stack_comments = "EQL optional fields syntax was not introduced until 7.16" -min_stack_version = "7.16.0" -updated_date = "2022/04/06" - -[rule] -author = ["Elastic"] -description = """ -Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after -an adversary has achieved privilege escalation. -""" -from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] -language = "eql" -license = "Elastic License v2" -name = "Account Discovery Command via SYSTEM Account" -note = """## Config - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" -risk_score = 21 -rule_id = "2856446a-34e6-435b-9fb5-f8f040bfa7ed" -severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery"] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -process where event.type in ("start", "process_started") and - (?process.Ext.token.integrity_level_name : "System" or - ?winlog.event_data.IntegrityLevel : "System") and - (process.name : "whoami.exe" or - (process.name : "net1.exe" and not process.parent.name : "net.exe")) -''' - - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1033" -name = "System Owner/User Discovery" -reference = "https://attack.mitre.org/techniques/T1033/" - - -[rule.threat.tactic] -id = "TA0007" -name = "Discovery" -reference = "https://attack.mitre.org/tactics/TA0007/" - diff --git a/rules/windows/discovery_net_view.toml b/rules/windows/discovery_net_view.toml index bfea9b480..c1c0f99be 100644 --- a/rules/windows/discovery_net_view.toml +++ b/rules/windows/discovery_net_view.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/04/21" [rule] author = ["Elastic"] @@ -11,7 +11,46 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Windows Network Enumeration" -note = """## Config +note = """## Triage and analysis + +### Investigating Windows Network Enumeration + +After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. +This can happen by running commands to enumerate network resources, users, connections, files, and installed security +software. + +This rule looks for the execution of the `net` utility to enumerate servers in the environment that hosts shared drives +or printers. This information is useful to attackers as they can identify targets for lateral movements and search for +valuable shared data. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and +network connections. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify +suspicious activity related to the user or host, such alerts can be dismissed. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Config If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/discovery_peripheral_device.toml b/rules/windows/discovery_peripheral_device.toml index 409223c76..8a50fcd16 100644 --- a/rules/windows/discovery_peripheral_device.toml +++ b/rules/windows/discovery_peripheral_device.toml @@ -1,12 +1,12 @@ [metadata] creation_date = "2020/11/02" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/04/21" [rule] author = ["Elastic"] description = """ -Identifies use of the Windows file system utility (fsutil.exe ) to gather information about attached peripheral devices +Identifies use of the Windows file system utility (fsutil.exe) to gather information about attached peripheral devices and components connected to a computer system. """ from = "now-9m" @@ -14,7 +14,48 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Peripheral Device Discovery" -note = """## Config +note = """## Triage and analysis + +### Investigating Peripheral Device Discovery + +After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. +This can happen by running commands to enumerate network resources, users, connections, files, and installed security +software. + +This rule looks for the execution of the `fsutil` utility with the `fsinfo` subcommand to enumerate drives attached to +the computer, which can be used to identify secondary drives used for backups, mapped network drives, and removable +media. These devices can contain valuable information for attackers. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and +network connections. +- Determine whether this activity was followed by suspicious file access/copy operations or uploads to file storage +services. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify +suspicious activity related to the user or host, such alerts can be dismissed. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Config If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml b/rules/windows/discovery_post_exploitation_external_ip_lookup.toml index 63cc20e11..75e54afb6 100644 --- a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml +++ b/rules/windows/discovery_post_exploitation_external_ip_lookup.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/04" maturity = "production" -updated_date = "2022/02/14" +updated_date = "2022/04/21" [rule] author = ["Elastic"] @@ -21,6 +21,49 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "External IP Lookup from Non-Browser Process" +note = """## Triage and analysis + +### Investigating External IP Lookup from Non-Browser Process + +After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. +This can happen by running commands to enumerate network resources, users, connections, files, and installed security +software. + +This rule looks for connections to known IP lookup services through non-browser processes or non-installed programs. +Using only the IP address of the compromised system, attackers can obtain valuable information such as the system's +geographic location, the company that owns the IP, whether the system is cloud-hosted, and more. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file +modifications, and any spawned child processes. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify +suspicious activity related to the user or host, such alerts can be dismissed. +- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination +of user and command line conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Use the data collected through the analysis to investigate other machines affected in the environment. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). +""" references = [ "https://community.jisc.ac.uk/blogs/csirt/article/trickbot-analysis-and-mitigation", "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", @@ -78,11 +121,20 @@ network where network.protocol == "dns" and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1614" +name = "System Location Discovery" +reference = "https://attack.mitre.org/techniques/T1614/" + [[rule.threat.technique]] id = "T1016" name = "System Network Configuration Discovery" reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique.subtechnique]] + id = "T1016.001" + name = "Internet Connection Discovery" + reference = "https://attack.mitre.org/techniques/T1016/001/" [rule.threat.tactic] id = "TA0007" diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml index acb81d4a6..f41dd3ef7 100644 --- a/rules/windows/discovery_privileged_localgroup_membership.toml +++ b/rules/windows/discovery_privileged_localgroup_membership.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/15" maturity = "production" -updated_date = "2022/04/13" +updated_date = "2022/04/21" [rule] author = ["Elastic"] @@ -14,13 +14,74 @@ index = ["winlogbeat-*", "logs-system.*"] language = "eql" license = "Elastic License v2" name = "Enumeration of Privileged Local Groups Membership" -note = """## Config +note = """## Triage and analysis -This will require Windows security event 4799 by enabling audit success for the Windows Account Management category and -the Security Group Management subcategory. +### Investigating Enumeration of Privileged Local Groups Membership + +After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. +This can happen by running commands to enumerate network resources, users, connections, files, and installed security +software. + +This rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known +legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, +such as mapping targets for credential compromise and other post-exploitation activities. + +#### Possible investigation steps + +- Identify the process, host and user involved on the event. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and +network connections. +- Retrieve the process executable and determine if it is malicious: + - Check if the file belongs to the operating system or has a valid digital signature. + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify +suspicious activity related to the user or host, such alerts can be dismissed. +- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination +of user and command line conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Config + +The 'Audit Security Group Management' audit policy must be configured (Success). +Steps to implement the logging policy with with Advanced Audit Configuration: + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +Account Management > +Audit Security Group Management (Success) +``` + +Microsoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems. If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. - """ risk_score = 43 rule_id = "291a0de9-937a-4189-94c0-3e847c8b13e4" diff --git a/rules/windows/discovery_remote_system_discovery_commands_windows.toml b/rules/windows/discovery_remote_system_discovery_commands_windows.toml index 59ba2bbe8..77378772c 100644 --- a/rules/windows/discovery_remote_system_discovery_commands_windows.toml +++ b/rules/windows/discovery_remote_system_discovery_commands_windows.toml @@ -1,17 +1,55 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/04/21" [rule] author = ["Elastic"] -description = "Discovery of remote system information using built-in commands, which may be used to mover laterally." +description = "Discovery of remote system information using built-in commands, which may be used to move laterally." from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Remote System Discovery Commands" -note = """## Config +note = """## Triage and analysis + +### Investigating Remote System Discovery Commands + +After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. +This can happen by running commands to enumerate network resources, users, connections, files, and installed security +software. + +This rule looks for the execution of the `arp` or `nbstat` utilities to enumerate remote systems in the environment, +which is useful for attackers to identify lateral movement targets. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and +network connections. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify +suspicious activity related to the user or host, such alerts can be dismissed. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Config If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -31,6 +69,11 @@ process where event.type in ("start", "process_started") and [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" + [[rule.threat.technique]] id = "T1018" name = "Remote System Discovery" diff --git a/rules/windows/discovery_security_software_wmic.toml b/rules/windows/discovery_security_software_wmic.toml index 446bd5366..bb1540da7 100644 --- a/rules/windows/discovery_security_software_wmic.toml +++ b/rules/windows/discovery_security_software_wmic.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/04/21" [rule] author = ["Elastic"] @@ -14,7 +14,46 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Security Software Discovery using WMIC" -note = """## Config +note = """## Triage and analysis + +### Investigating Security Software Discovery using WMIC + +After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. +This can happen by running commands to enumerate network resources, users, connections, files, and installed security +software. + +This rule looks for the execution of the `wmic` utility with arguments compatible to the enumeration of the security +software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable +protections, use bypasses, etc. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and +network connections. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify +suspicious activity related to the user or host, such alerts can be dismissed. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Config If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index ea4cf0fa1..cf6422467 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/04/21" [rule] author = ["Elastic"] @@ -20,7 +20,49 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Whoami Process Activity" -note = """## Config +note = """## Triage and analysis + +### Investigating Whoami Process Activity + +After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. +This can happen by running commands to enumerate network resources, users, connections, files, and installed security +software. + +This rule looks for the execution of the `whoami` utility. Attackers commonly use this utility to measure their current +privileges, discover the current user, determine if a privilege escalation was successful, etc. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and +network connections. + +### False positive analysis + +- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify +suspicious activity related to the user or host, such alerts can be dismissed. + +### Related rules + +- Account Discovery Command via SYSTEM Account - 2856446a-34e6-435b-9fb5-f8f040bfa7ed + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Config If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """