From be5cd23a641fc789b56ccd0f8d75291ac12d7af9 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Wed, 1 Feb 2023 15:30:15 +0100 Subject: [PATCH] [New Rules] Code Signing Policy Modification (#2510) * [New Rules] Code Signing Policy Modification * Fixed description & tags * cleaned the query syntax * Update rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/defense_evasion_code_signing_policy_modification_registry.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/defense_evasion_code_signing_policy_modification_registry.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --- ...ing_policy_modification_builtin_tools.toml | 64 +++++++++++++++++++ ..._signing_policy_modification_registry.toml | 60 +++++++++++++++++ 2 files changed, 124 insertions(+) create mode 100644 rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml create mode 100644 rules/windows/defense_evasion_code_signing_policy_modification_registry.toml diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml new file mode 100644 index 000000000..4903fe904 --- /dev/null +++ b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml @@ -0,0 +1,64 @@ +[metadata] +creation_date = "2023/01/31" +integration = ["endpoint", "windows"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/01/31" + +[rule] +author = ["Elastic"] +description = """ +Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides +authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. +By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +language = "eql" +license = "Elastic License v2" +name = "Code Signing Policy Modification Through Built-in tools" +risk_score = 47 +rule_id = "b43570de-a908-4f7f-8bdb-b2df6ffd8c80" +severity = "medium" +tags = [ + "Elastic", + "Host", + "Windows", + "macOS", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where event.type == "start" and +( + /* Windows */ + ((process.name: "bcdedit.exe" or process.pe.original_file_name == "bcdedit.exe") and process.args: ("-set", "/set") and + process.args: ("TESTSIGNING", "nointegritychecks", "loadoptions", "DISABLE_INTEGRITY_CHECKS")) or + + /* MacOS */ + (process.executable: "/usr/bin/csrutil" and process.args: "disable") +) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1553" +name = "Subvert Trust Controls" +reference = "https://attack.mitre.org/techniques/T1553/" +[[rule.threat.technique.subtechnique]] +id = "T1553.006" +name = "Code Signing Policy Modification" +reference = "https://attack.mitre.org/techniques/T1553/006/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml new file mode 100644 index 000000000..2729bfaa5 --- /dev/null +++ b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml @@ -0,0 +1,60 @@ +[metadata] +creation_date = "2023/01/31" +integration = ["endpoint", "windows"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/01/31" + +[rule] +author = ["Elastic"] +description = """ +Identifies attempts to disable/modify the code signing policy through the registry. Code signing provides +authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. +By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +language = "eql" +license = "Elastic License v2" +name = "Code Signing Policy Modification Through Registry" +risk_score = 47 +rule_id = "da7733b1-fe08-487e-b536-0a04c6d8b0cd" +severity = "medium" +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Elastic Endgame", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where event.type : ("creation", "change") and +( + registry.path : "HKEY_USERS\\*\\Software\\Policies\\Microsoft\\Windows NT\\Driver Signing\\BehaviorOnFailedVerify" and + registry.value: "BehaviorOnFailedVerify" and + registry.data.strings : ("0", "0x00000000", "1", "0x00000001") +) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1553" +name = "Subvert Trust Controls" +reference = "https://attack.mitre.org/techniques/T1553/" +[[rule.threat.technique.subtechnique]] +id = "T1553.006" +name = "Code Signing Policy Modification" +reference = "https://attack.mitre.org/techniques/T1553/006/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/"