security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Local Service Commands (#1044)

Browse Source 
* Update lateral_movement_service_control_spawned_script_int.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
This commit is contained in:
Brent Murphy
2021-04-13 12:31:45 -04:00
committed by GitHub
parent 31daa7b36a
commit aa61283dfa
2 changed files with 46 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/lateral_movement_local_service_commands.toml
-41
View File
@@ -1,41 +0,0 @@
[metadata]
creation_date = "2020/02/18"
maturity = "production"
updated_date = "2021/03/08"
[rule]
author = ["Elastic"]
description = """
Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary
lateral movement but will be noisy if commonly done by admins.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
language = "kuery"
license = "Elastic License v2"
name = "Local Service Commands"
risk_score = 21
rule_id = "e8571d5f-bea1-46c2-9f56-998de2d3ed95"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.category:process and event.type:(start or process_started) and process.name:sc.exe and process.args:(config or create or failure or start)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1021"
name = "Remote Services"
reference = "https://attack.mitre.org/techniques/T1021/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
rules/windows/lateral_movement_service_control_spawned_script_int.toml
+46
View File
@@ -0,0 +1,46 @@
[metadata]
creation_date = "2020/02/18"
maturity = "production"
updated_date = "2021/03/15"
[rule]
author = ["Elastic"]
description = """
Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services.
This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Service Control Spawned via Script Interpreter"
risk_score = 21
rule_id = "e8571d5f-bea1-46c2-9f56-998de2d3ed95"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where event.type == "start" and
(process.name : "sc.exe" or process.pe.original_file_name == "sc.exe") and
process.parent.name : ("cmd.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe",
"wmic.exe", "mshta.exe","powershell.exe", "pwsh.exe") and
process.args:("config", "create", "start", "delete", "stop", "pause") and
/* exclude SYSTEM SID - look for service creations by non-SYSTEM user */
not user.id : "S-1-5-18"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1021"
name = "Remote Services"
reference = "https://attack.mitre.org/techniques/T1021/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"