[New Rules] C2 via BITS and CertReq (#2466)

* Create command_and_control_certreq_postdata.toml

* Update command_and_control_certreq_postdata.toml

* Update command_and_control_certreq_postdata.toml

* Create command_and_control_ingress_transfer_bits.toml

* Update non-ecs-schema.json

* Update command_and_control_certreq_postdata.toml

* Update command_and_control_ingress_transfer_bits.toml

* Update rules/windows/command_and_control_certreq_postdata.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

detection_rules/etc/non-ecs-schema.json

@@ -69,8 +69,9 @@
     "file.Ext.header_bytes": "keyword", 
     "file.Ext.entropy": "long",
     "file.size": "long",
+    "file.Ext.original.name": "keyword",
     "dll.Ext.relative_file_creation_time": "double", 
-    "dll.Ext.relative_file_name_modify_time": "double" ,
+    "dll.Ext.relative_file_name_modify_time": "double",
     "process.Ext.relative_file_name_modify_time": "double",
     "process.Ext.relative_file_creation_time": "double"
   },

rules/windows/command_and_control_certreq_postdata.toml

@@ -0,0 +1,58 @@
+[metadata]
+creation_date = "2023/01/13"
+integration = ["endpoint", "windows"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/01/13"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to exfiltrate data to a remote URL.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Exfiltration via Certreq"
+references = ["https://lolbas-project.github.io/lolbas/Binaries/Certreq/"]
+risk_score = 47
+rule_id = "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c"
+severity = "medium"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Command and Control", "Elastic Endgame"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where event.type == "start" and 
+ (process.name : "CertReq.exe" or process.pe.original_file_name == "CertReq.exe") and process.args : "-Post"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1105"
+name = "Ingress Tool Transfer"
+reference = "https://attack.mitre.org/techniques/T1105/"
+
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1218"
+name = "System Binary Proxy Execution"
+reference = "https://attack.mitre.org/techniques/T1218/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"

rules/windows/command_and_control_ingress_transfer_bits.toml

@@ -0,0 +1,67 @@
+[metadata]
+creation_date = "2023/01/13"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/01/13"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies downloads of executable and archive files via the Windows Background Intelligent Transfer Service (BITS). 
+Adversaries could leverage Windows BITS transfer jobs to download remote payloads.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Ingress Transfer via Windows BITS"
+references = ["https://attack.mitre.org/techniques/T1197/"]
+risk_score = 21
+rule_id = "f95972d3-c23b-463b-89a8-796b3f369b49"
+severity = "low"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Command and Control"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+file where event.action == "rename" and 
+
+process.name : "svchost.exe" and file.Ext.original.name : "BIT*.tmp" and 
+ (file.extension :("exe", "zip", "rar", "bat", "dll", "ps1", "vbs", "wsh", "js", "vbe", "pif", "scr", "cmd", "cpl") or file.Ext.header_bytes : "4d5a*") and 
+ 
+ /* noisy paths, for hunting purposes you can use the same query without the following exclusions */
+ not file.path : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*", "?:\\Windows\\*", "?:\\ProgramData\\*\\*") and 
+ 
+ /* lot of third party SW use BITS to download executables with a long file name */
+ not length(file.name) > 30
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1105"
+name = "Ingress Tool Transfer"
+reference = "https://attack.mitre.org/techniques/T1105/"
+
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1197"
+name = "BITS Jobs"
+reference = "https://attack.mitre.org/techniques/T1197/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"