security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Security Content] Current Investigation Guides Review (#1896)

Browse Source 
* Modify investigation guides

* Apply suggestions from code review

Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>

* Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml

Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>

* Rewrite and apply previous reviews

* Apply suggestions from code review

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

* Update rules/windows/credential_access_spn_attribute_modified.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

Co-authored-by: benironside <91905639+benironside@users.noreply.github.com>
Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

(cherry picked from commit ebeb270075)
This commit is contained in:
Jonhnathan
2022-04-12 22:05:13 -03:00
committed by github-actions[bot]
parent 03677ca4e8
commit c3ab31632f
13 changed files with 388 additions and 314 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/credential_access_dcsync_replication_rights.toml
+38 -38
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2022/02/08"
maturity = "production"
updated_date = "2022/03/31"
updated_date = "2022/04/04"
[rule]
author = ["Elastic"]
@@ -15,17 +15,17 @@ index = ["winlogbeat-*", "logs-system.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Credential Access via DCSync"
note = """## Triage and analysis.
note = """## Triage and analysis
### Investigating Active Directory Replication From User Account
### Investigating Potential Credential Access via DCSync
Active Directory replication is the process by which the changes that originate on one domain controller are
automatically transferred to other domain controllers that store the same data.
automatically transferred to other domain controllers that store the same data.
Active Directory data takes the form of objects that have properties, or attributes. Each object is an instance
of an object class, and object classes and their respective attributes are defined in the Active Directory schema.
The values of the attributes define the object, and a change to a value of an attribute must be transferred from
the domain controller on which it occurs to every other domain controller that stores a replica of that object.
Active Directory data consists of objects that have properties, or attributes. Each object is an instance of an object
class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are
defined by the values of their attributes, and changes to attribute values must be transferred from the domain
controller on which they occur to every other domain controller that stores a replica of an affected object.
Adversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process
from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys used
@@ -34,38 +34,39 @@ to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), whic
the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused
to grant controlled objects the right to DCsync/Replicate.
More details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing).
and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync)
More details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).
This rule will monitor for Event ID 4662 (Operation was performed on an Active Directory object) and identify events that use the access
mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID
(DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set). It also filters out events that
use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)).
This rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that
use the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent:
Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set).
It also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)).
#### Possible investigation steps:
#### Possible investigation steps
- Identify the account that performed the action.
- Confirm whether the account owner is aware of the operation.
- Investigate other alerts related to the user/host in the last 48 hours.
- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received
the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.
- Investigate which credentials were compromised (e.g. All accounts were replicated or a specific account).
- Identify the user account that performed the action and whether it should perform this kind of action.
- Contact the account owner and confirm whether they are aware of this activity.
- Investigate other alerts associated with the user/host during the past 48 hours.
- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller
(DC) that received the replication request. This will tell you where the AD replication request came from, and if it
came from another DC or not.
- Investigate which credentials were compromised (for example whether all accounts were replicated, or only a specific account).
### False Positive Analysis
### False positive analysis
- This activity should not happen legitimately. Any potential B-TP (Benign True Positive) should be mapped and monitored by the security
team as replication should be done by Domain Controllers only. Any account that performs this activity can put the domain at risk for not
having the same security standards (Long, complex, random passwords that change frequently) as computer accounts, exposing it to credential
cracking attacks (Kerberoasting, brute force, etc.).
- This activity should not happen legitimately, since replication should be done by Domain Controllers only. Any
potential benign true positive (B-TP) should be mapped and monitored by the security team. Any account that performs
this activity can put the domain at risk for not having the same security standards as computer accounts (which have
long, complex, random passwords that change frequently), exposing it to credential cracking attacks (Kerberoasting,
brute force, etc.).
### Response and Remediation
### Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- If specific credentials were compromised:
- Reset the password for the accounts.
- Reset passwords for affected accounts.
- If the entire domain or the `krbtgt` user were compromised:
- Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password
reset (twice) of the `krbtgt` user.
- Activate your incident response plan for total Active Directory compromise which should include, but not be limited
to, a password reset (twice) of the `krbtgt` user.
## Config
@@ -73,18 +74,17 @@ The 'Audit Directory Service Changes' logging policy must be configured for (Suc
Steps to implement the logging policy with Advanced Audit Configuration:
```
Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
Audit Policies >
DS Access >
Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
Audit Policies >
DS Access >
Audit Directory Service Changes (Success,Failure)
```
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
"""
references = [
"https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html",
rules/windows/credential_access_lsass_memdump_handle_access.toml
+23 -21
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2022/02/16"
maturity = "production"
updated_date = "2022/03/31"
updated_date = "2022/04/04"
[rule]
author = ["Elastic"]
@@ -17,38 +17,41 @@ index = ["winlogbeat-*", "logs-system.*"]
language = "eql"
license = "Elastic License v2"
name = "LSASS Memory Dump Handle Access"
note = """## Triage and analysis.
note = """## Triage and analysis
### Investigating
### Investigating LSASS Memory Dump Handle Access
Local Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible
for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles
for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles
password changes, and creates access tokens.
Adversaries may attempt to access credential material stored in the process memory of the LSASS. After a user logs on,
the system generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate
single sign-on (SSO) ensuring a user isnt prompted each time resource access is requested. These credential materials
can be harvested by an adversary using administrative user or SYSTEM privileges to conduct Lateral Movement using
[Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550/).
Adversaries may attempt to access credential material stored in LSASS process memory. After a user logs on,the system
generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single
sign-on (SSO) ensuring a user isnt prompted each time resource access is requested. These credential materials can be
harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using
[alternate authentication material](https://attack.mitre.org/techniques/T1550/).
#### Possible investigation steps:
#### Possible investigation steps
- Validate the correct install path for the process that triggered this detection
- Confirm that any AV or EDR solutions that trigger this detection have the correct install path
- Investigate the process execution chain (parent process tree).
- Investigate other alerts associated with the user/host during the past 48 hours.
- Validate the correct install path for the process that triggered this detection.
### False Positive Analysis
### False positive analysis
- There should be very few if any false positives for this rule. However, it may be tripped by AV or EDR solutions.
- There should be very few if any false positives for this rule. However, it may be tripped by antivirus or endpoint detection and response solutions;
check whether these solutions are installed on the correct paths.
### Response and Remediation
### Response and remediation
- Initiate the incident response process based on the outcome of the triage
- In case of specific credentials were compromised:
- Reset the password for the accounts
- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved host to prevent further post-compromise behavior.
- Scope compromised credentials and disable the accounts.
- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
## Config
Ensure advanced audit policies for Windows are enabled, specifically
Ensure advanced audit policies for Windows are enabled, specifically:
Object Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)
```
@@ -63,10 +66,9 @@ Audit File System (Success,Failure)
Audit Handle Manipulation (Success,Failure)
```
Also, this event generates only if the objects [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required ACE to handle the use of specific access rights.
Also, this event generates only if the objects [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
"""
references = [
"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656",
rules/windows/credential_access_mimikatz_powershell_module.toml
+31 -26
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/12/07"
maturity = "development"
updated_date = "2022/03/31"
updated_date = "2022/04/06"
[rule]
author = ["Elastic"]
@@ -21,39 +21,44 @@ note = """## Triage and analysis
[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached
credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained
an initial foothold onto an endpoint and are looking to elevate privileges and seek out additional authentication objects
such as tokens/hashes/credentials that can then be used to laterally move and pivot across a network.
an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects
such as tokens/hashes/credentials that can then be used to move laterally and pivot across a network.
#### Possible investigation steps:
- This specific rule is based on Mimikatz command-line parameters used to dump credentials from the Local Security
This specific rule is based on Mimikatz command-line parameters used to dump credentials from the Local Security
Authority Subsystem Service (LSASS). Any activity triggered from this rule should be treated with high priority as it
typically represents an active adversary.
- Any kind of available host-based events or logs such as Windows Security Events, PowerShell logging and EDR events should
be used to seek further understanding around the events that led up to the rule as well as activity found shortly after the event.
- Further examination should include reviewing network logs to determine potential lateral movement.
- Validate that the source of the Mimikatz activity was not from an authorized source such as automated testing such as
Atomic Red Team or through offensive/compromise assessments.
### False Positive Analysis
- This rule should be on the higher confidence side of true positive activity therefore any testing such as offensive
/compromise engagements should be ruled out before invoking incident response procedures
More information about Mimikatz components and how to detect/prevent them can be found on [ADSecurity](https://adsecurity.org/?page_id=1821).
### Related Rules
- Mimikatz Memssp Log File Detected
- Creation or Modification of Domain Backup DPAPI private key
- Modification of WDigest Security Provider
#### Possible investigation steps
### Response and Remediation
- Take immediate action to review, investigate and potentially isolate activity to prevent further post-compromise
behavior
- During credential dump compromises, investigate the registry in order to check the number of cached users that have
used the machine. These users should have their password reset.
- Investigate the process execution chain (parent process tree).
- Contact the account owner and confirm whether they are aware of this activity.
- Examine PowerShell, Windows, and endpoint detection and response (EDR) logs to understand what was executed in the host.
- Further examination should include reviewing network logs to identify potential lateral movement.
- Investigate other alerts associated with the user/host during the past 48 hours.
- Use process name, command line, and file hash to search for occurrences on other hosts.
- Scope potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the
target host.
### False positive analysis
- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.
### Related rules
- Mimikatz Memssp Log File Detected - ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6
- Creation or Modification of Domain Backup DPAPI private key - b83a7e96-2eb3-4edf-8346-427b6858d3bd
- Modification of WDigest Security Provider - d703a5af-d5b0-43bd-8ddb-7a5d500b7da5
### Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved host to prevent further post-compromise behavior.
- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
- Validate that cleartext passwords are disabled in memory for use with `WDigest`.
- Look into preventing access to `LSASS` using capabilities such as LSA protection or leveraging AV/EDR tools that provide
- Look into preventing access to `LSASS` using capabilities such as LSA protection or antivirus/EDR tools that provide
this capability.
- This [resource](https://adsecurity.org/?page_id=1821) provided by ADSecurity should be used as required reading for
detecting/preventing and understanding the different Mimikatz components.
## Config
rules/windows/credential_access_spn_attribute_modified.toml
+28 -28
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2022/02/22"
maturity = "production"
updated_date = "2022/02/22"
updated_date = "2022/03/28"
[rule]
author = ["Elastic"]
@@ -15,50 +15,50 @@ index = ["winlogbeat-*", "logs-system.*"]
language = "kuery"
license = "Elastic License v2"
name = "User account exposed to Kerberoasting"
note = """## Triage and analysis.
note = """## Triage and analysis
### Investigating User account exposed to Kerberoasting
Service principal names (SPNs) is the name by which a Kerberos client uniquely identifies an instance of a service for a
given Kerberos target computer.
Service Principal Names (SPNs) are names by which Kerberos clients uniquely identify service instances for Kerberos target
computers.
By default, only computer accounts have SPNs, and there is no significant risk about this, as machine accounts have a
default domain policy that configures these accounts to rotate their passwords every 30 days, and the password is
compound of 120 random characters, making them not to be vulnerable to Kerberoasting.
By default, only computer accounts have SPNs, which creates no significant risk, since machine accounts have a default
domain policy that rotates their passwords every 30 days, and the password is composed of 120 random characters, making
them invulnerable to Kerberoasting.
So, a user account with an SPN assigned is considered a Service Account, making it available to be accessed by the
entire domain. If any user in the directory requests a TGS, the domain controller will encrypt it with the secret key of
the account executing the service. An attacker can potentially perform a Kerberoasting attack with this information, as
the human-defined password is more likely to be less complex.
A user account with an SPN assigned is considered a Service Account, and is accessible to the entire domain. If any
user in the directory requests a ticket-granting service (TGS), the domain controller will encrypt it with the secret
key of the account executing the service. An attacker can potentially perform a Kerberoasting attack with this
information, as the human-defined password is likely to be less complex.
For scenarios where SPNs cannot be avoided on user accounts, Microsoft provides the Group Managed Service Accounts (gMSA)
feature, which ensures that the account password is robust and changed regularly and automatically. More information can
feature, which ensures that account passwords are robust and changed regularly and automatically. More information can
be found [here](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).
Attackers can also perform "Targeted Kerberoasting", which consists of adding fake SPNs to user accounts that they have
write privileges to, making them potentially vulnerable to Kerberoasting.
#### Possible investigation steps:
#### Possible investigation steps
- Identify the account that performed the action.
- Check whether this user should be doing this kind of activity.
- Contact the account owner and confirm whether they are aware of this activity.
- Investigate if the target account is a member of Privileged groups (Domain Admins, Enterprise Admins, etc).
- Investigate if the target account is a member of privileged groups (Domain Admins, Enterprise Admins, etc.).
- Investigate if tickets have been requested for the target account.
- Investigate other alerts related to the user in the last 48 hours.
### False Positive Analysis
### False positive analysis
- The use of user accounts as service accounts is a bad security practice and should not be allowed in the domain. The
security team should map and monitor any potential B-TP (Benign True Positive), especially if the account is privileged.
security team should map and monitor any potential benign true positive (B-TP), especially if the account is privileged.
Domain Administrators that define this kind of setting can put the domain at risk as user accounts don't have the same
security standards (Long, complex, random passwords that change frequently) as computer accounts, exposing them to
credential cracking attacks (Kerberoasting, brute force, etc.).
security standards as computer accounts (which have long, complex, random passwords that change frequently), exposing
them to credential cracking attacks (Kerberoasting, brute force, etc.).
### Response and Remediation
### Response and remediation
- Initiate the incident response process based on the outcome of the triage
- Reset the password of the involved accounts. Priority should be given to privileged accounts.
- Initiate the incident response process based on the outcome of the triage.
- Reset the passwords of affected accounts, prioritizing privileged accounts.
- Quarantine the involved host for forensic investigation, as well as eradication and recovery activities.
## Config
@@ -67,13 +67,13 @@ The 'Audit Directory Service Changes' logging policy must be configured for (Suc
Steps to implement the logging policy with Advanced Audit Configuration:
```
Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
Audit Policies >
DS Access >
Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
Audit Policies >
DS Access >
Audit Directory Service Changes (Success,Failure)
```
rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml
+36 -31
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/12/25"
maturity = "production"
updated_date = "2022/03/31"
updated_date = "2022/04/06"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -15,59 +15,64 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Symbolic Link to Shadow Copy Created"
note = """## Triage and analysis.
note = """## Triage and analysis
### Investigating
### Investigating Symbolic Link to Shadow Copy Created
Shadow copies are backups or snapshots of an endpoints files or volumes at the time of being in use. Adversaries may attempt to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes but an offline copy is needed to extract these hashes and potentially conduct lateral movement.
Shadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt
to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active
Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is
needed to extract these hashes and potentially conduct lateral movement.
#### Possible investigation steps:
#### Possible investigation steps
- Determine if a volume shadow copy was recently created on this endpoint.
- Review priviledges of the end user as this requires administrative access.
- Verify ntds.dit file was successfully copied and the location.
- Verify if the ntds.dit file was successfully copied and determine its copy destination.
- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.
- Investigate recent deletions of volume shadow copies.
- Identify other files potentially copied from volume shadow copy paths directly.
### False Positive Analysis
### False positive analysis
- There should be very little false positive triggers with this rule.
- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary.
### Related rules
### Related Rules
- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f
### Response and Remediation
### Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- In case specific credentials were compromised:
- Reset the password for the accounts
- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
- If the entire domain or the `krbtgt` user was compromised:
- Activate your incident response plan for total Active Directory compromise which should include, but not be limited
to, a password reset (twice) of the `krbtgt` user.
- Locate and remove static files copied from volume shadow copies.
- Command-Line tool mklink should require administrative access by default unless in developer mode.
## Config
Ensure advanced audit policies for Windows are enabled, specifically
Object Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)
```
Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
System Audit Policies >
Object Access >
Audit File System (Success,Failure)
Audit Handle Manipulation (Success,Failure)
```
This event will only trigger if symbolic links are created from a new process spawning for cmd.exe or powershell.exe with the correct arguments.
Direct access to a shell and calling symbolic link creation tools will not generate an event.
Ensure advanced audit policies for Windows are enabled, specifically:
Object Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)
```
Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
System Audit Policies >
Object Access >
Audit File System (Success,Failure)
Audit Handle Manipulation (Success,Failure)
```
This event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.
Direct access to a shell and calling symbolic link creation tools will not generate an event matching this rule.
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
"""
"""
references = [
"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink",
"https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf",
rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
+41 -29
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/07/20"
maturity = "production"
updated_date = "2022/03/31"
updated_date = "2022/04/06"
[rule]
author = ["Elastic"]
@@ -16,45 +16,57 @@ license = "Elastic License v2"
name = "Windows Defender Exclusions Added via PowerShell"
note = """## Triage and analysis
### Investigating Windows Defender Exclusions
### Investigating Windows Defender Exclusions Added via PowerShell
Microsoft Windows Defender is an anti-virus product built-in within Microsoft Windows. Since this software product is
Microsoft Windows Defender is an antivirus product built into Microsoft Windows. Since this software product is
used to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration
settings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of the more
notable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/) was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defense to avoid detection.
settings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of
the more notable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/)
was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defender to avoid detection.
#### Possible investigation steps:
- With this specific rule, it's completely possible to trigger detections on network administrative activity or benign users
using scripting and PowerShell to configure the different exclusions for Windows Defender. Therefore, it's important to
identify the source of the activity first and determine if there is any mal-intent behind the events.
- The actual exclusion such as the process, the file or directory should be reviewed in order to determine the original
intent behind the exclusion. Is the excluded file or process malicious in nature or is it related to software that needs
to be legitimately allowlisted from Windows Defender?
#### Possible investigation steps
### False Positive Analysis
- This rule has a higher chance to produce false positives based on the nature around configuring exclusions by possibly
a network administrator. In order to validate the activity further, review the specific exclusion and its intent. There
are many legitimate reasons for exclusions, so it's important to gain context.
- Investigate the process execution chain (parent process tree).
- Identify the user account that performed the action and whether it should perform this kind of action.
- Contact the account owner and confirm whether they are aware of this activity.
- Examine the exclusion in order to determine the intent behind it.
- Check for similar behavior in other hosts in the environment.
- If the exclusion specifies a suspicious file, retrieve it and determine if it is malicious:
- Use a private sandboxed malware analysis system to perform analysis.
- Observe and collect information about the following activities:
- Attempts to contact external domains and addresses.
- File and registry access, modification, and creation activities.
- Service creation and launch activities.
- Scheduled tasks creation.
- Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
- Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
### Related Rules
- Windows Defender Disabled via Registry Modification
- Disabling Windows Defender Security Settings via PowerShell
### False positive analysis
### Response and Remediation
- Since this is related to post-exploitation activity, take immediate action to review, investigate and
potentially isolate further activity.
- If further analysis showed malicious intent was behind the Defender exclusions, administrators should remove
the exclusion and ensure antimalware capability has not been disabled or deleted.
- This rule has a high chance to produce false positives due to how often network administrators legitimately configure
exclusions. In order to validate the activity further, review the specific exclusion and its intent. There are many
legitimate reasons for exclusions, so it's important to gain context.
### Related rules
- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb
- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87
### Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved host to prevent further post-compromise behavior.
- If the triage identified malware, search the environment for additional compromised hosts.
- Implement any temporary network rules, procedures, and segmentation required to contain the malware.
- Immediately block the identified indicators of compromise (IoCs).
- Remove and block malicious artifacts identified on the triage.
- Exclusion lists for antimalware capabilities should always be routinely monitored for review.
## Config
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
"""
references = [
"https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf",
]
"""
references = ["https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf"]
risk_score = 47
rule_id = "2c17e5d7-08b9-43b2-b58a-0270d65ac85b"
severity = "medium"
rules/windows/defense_evasion_workfolders_control_execution.toml
+32 -20
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2022/03/02"
maturity = "production"
updated_date = "2022/03/31"
updated_date = "2022/04/06"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -16,32 +16,44 @@ license = "Elastic License v2"
name = "Signed Proxy Execution via MS WorkFolders"
note = """## Triage and analysis
### Investigating control.exe Execution via Work Folders in Current Working Directory
### Investigating Signed Proxy Execution via MS WorkFolders
Work Folders is a role service for file servers running Windows Server that provides a consistent way for users to access their work files from their PCs and devices. This allows for users to store work files and access them from anywhere. When called, Work Folders will automatically execute any Portable Executable (PE) named `control.exe` as an argument before accessing the synced share.
Work Folders is a role service for file servers running Windows Server that provides a consistent way for users to access
their work files from their PCs and devices. This allows users to store work files and access them from anywhere. When
called, Work Folders will automatically execute any Portable Executable (PE) named `control.exe` as an argument before
accessing the synced share.
Using Work Folders to execute a masqueraded control.exe could allow an adversary to bypass application controls and increase privileges.
Using Work Folders to execute a masqueraded control.exe could allow an adversary to bypass application controls and
increase privileges.
#### Possible investigation steps
#### Possible investigation steps:
- Investigate the process tree starting with parent process WorkFolders.exe and child process control.exe to determine if other child processes spawned during execution.
- Trace the activity related to the `control.exe` binary to determine continued intrusion activity on the host.
- Examine the location of the WorkFolders.exe binary to determine if it was copied to the location of the control.exe binary as it resides in the System32 directory by default.
- Review the control.exe binary executed with Work Folders to determine maliciousness such as additional host activity or network traffic generated
- Investigate the process tree starting with parent process WorkFolders.exe and child process control.exe to determine
if other child processes spawned during execution.
- Trace the activity related to the `control.exe` binary to identify any continuing intrusion activity on the host.
- Examine the location of the WorkFolders.exe binary to determine if it was copied to the location of the control.exe
binary. It resides in the System32 directory by default.
- Review the control.exe binary executed with Work Folders to determine maliciousness such as additional host activity
or network traffic.
- Determine if control.exe was synced to sync share, indicating potential lateral movement.
- Review where control.exe originated from on the host in terms of delivery such as email, web download or written to disk from a seperate binary.
- Review how control.exe was originally delivered on the host, such as emailed, downloaded from the web, or written to
disk from a separate binary.
### False positive analysis
### False Positive Analysis
- Windows Work Folders are used legitimately by end users and administrators for file sharing and syncing but not in the instance where a suspicious `control.exe` is passed as an argument.
- Windows Work Folders are used legitimately by end users and administrators for file sharing and syncing but not in the
instance where a suspicious `control.exe` is passed as an argument.
### Response and Remediation
- If identified as a compromise, engage incident response processes and policies.
- Take immediate action to review, investigate and potentially isolate activity to prevent further post-compromise
behavior.
### Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved host to prevent further post-compromise behavior.
- Review the Work Folders synced share to determine if the 'control.exe' was shared and if so remove it.
- If no lateral movement was identified during investigation, take the effected host offline if possible and remove the control.exe binary as well as any additional artifacts identified during investigation.
- Review integrating Windows Information Protection (WIP) to enforce data protection by encrypting the data on PCs using Work Folders.
- Confirm with user whether this was expected or not and reset their password.
- If no lateral movement was identified during investigation, take the effected host offline if possible and remove the
control.exe binary as well as any additional artifacts identified during investigation.
- Review integrating Windows Information Protection (WIP) to enforce data protection by encrypting the data on PCs using
Work Folders.
- Confirm with the user whether this was expected or not, and reset their password.
## Config
rules/windows/discovery_adfind_command_activity.toml
+25 -23
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/10/19"
maturity = "production"
updated_date = "2022/03/31"
updated_date = "2022/04/06"
[rule]
author = ["Elastic"]
@@ -19,38 +19,40 @@ note = """## Triage and analysis
### Investigating AdFind Command Activity
[AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information from
Active Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways
they are effective for network administrators. This tool provides quick ability to scope AD person/computer objects and
understand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/)
observed where this tool has been adopted by ransomware and criminal groups and used in compromises.
[AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information
from Active Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same
ways they are effective for network administrators. This tool provides quick ability to scope AD person/computer objects
and understand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/) of
this tool being adopted by ransomware and criminal groups and used in compromises.
#### Possible investigation steps:
- `AdFind` is a legitimate Active Directory enumeration tool used by network administrators, it's important to understand
the source of the activity. This could involve identifying the account using `AdFind` and determining based on the command-lines
what information was retrieved, then further determining if these actions are in scope of that user's traditional responsibilities.
- In multiple public references, `AdFind` is leveraged after initial access is achieved. Review previous activity on impacted
machines for suspicious indicators such as previous anti-virus/EDR alerts, phishing emails received, or network traffic
to suspicious infrastructure.
#### Possible investigation steps
- Investigate the process execution chain (parent process tree).
- Identify the user account that performed the action and whether it should perform this kind of action.
- Examine the command line to determine what information was retrieved by the tool.
- Contact the account owner and confirm whether they are aware of this activity.
- Investigate other alerts associated with the user/host during the past 48 hours.
### False positive analysis
### False Positive Analysis
- This rule has a high chance to produce false positives as it is a legitimate tool used by network administrators. One
option could be allowlisting specific users or groups who use the tool as part of their daily responsibilities. This can
be done by leveraging the exception workflow in the Kibana Security App or Elasticsearch API to tune this rule to your environment.
- Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in
isolation, so reviewing previous logs/activity from impacted machines can be very telling.
### Related Rules
- Windows Network Enumeration
- Enumeration of Administrator Accounts
- Enumeration Command Spawned via WMIPrvSE
### Related rules
### Response and Remediation
- Take immediate action to validate activity, investigate and potentially isolate activity to prevent further
post-compromise behavior.
- It's important to understand that `AdFind` is an Active Directory enumeration tool and can be used for malicious or legitimate
purposes, so understanding the intent behind the activity will help determine the appropropriate response.
- Windows Network Enumeration - 7b8bfc26-81d2-435e-965c-d722ee397ef1
- Enumeration of Administrator Accounts - 871ea072-1b71-4def-b016-6278b505138d
- Enumeration Command Spawned via WMIPrvSE - 770e0c4d-b998-41e5-a62e-c7901fd7f470
### Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved host to prevent further post-compromise behavior.
- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
- Determine the initial infection vector.
## Config
rules/windows/lateral_movement_dns_server_overflow.toml
+23 -18
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/07/16"
maturity = "production"
updated_date = "2022/02/28"
updated_date = "2022/04/06"
[rule]
author = ["Elastic"]
@@ -22,41 +22,46 @@ license = "Elastic License v2"
name = "Abnormally Large DNS Response"
note = """## Triage and analysis
### Investigating Large DNS Responses
### Investigating Abnormally Large DNS Response
Detection alerts from this rule indicate possible anomalous activity around large byte DNS responses from a Windows DNS
server. This detection rule was created based on activity represented in exploitation of vulnerability (CVE-2020-1350)
also known as [SigRed](https://www.elastic.co/blog/detection-rules-for-sigred-vulnerability) during July 2020.
#### Possible investigation steps:
#### Possible investigation steps
- This specific rule is sourced from network log activity such as DNS or network level data. It's important to validate
the source of the incoming traffic and determine if this activity has been observed previously within an environment.
- Activity can be further investigated and validated by reviewing available corresponding Intrusion Detection Signatures (IDS) alerts associated with activity.
- Further examination can include a review of the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.
- Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale Internet vulnerability scanning.
- Activity can be further investigated and validated by reviewing any associated Intrusion Detection Signatures (IDS) alerts.
- Further examination can include a review of the `dns.question_type` network fieldset with a protocol analyzer, such as
Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.
- Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale
internet vulnerability scanning.
- Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment.
#### False Positive Analysis
#### False positive analysis
- Based on this rule, which looks for a threshold of 60k bytes, it is possible for activity to be generated under 65k bytes
and related to legitimate behavior. In packet capture files received by the [SANS Internet Storm Center](https://isc.sans.edu/forums/diary/PATCH+NOW+SIGRed+CVE20201350+Microsoft+DNS+Server+Vulnerability/26356/), byte responses
were all observed as greater than 65k bytes.
- This activity can be triggered by compliance/vulnerability scanning or compromise assessment, it's
important to determine the source of the activity and potentially allowlist the source host.
- This activity can be triggered by compliance/vulnerability scanning or compromise assessment; it's important to
determine the source of the activity and potentially allowlist the source host.
### Related rules
### Related Rules
- Unusual Child Process of dns.exe
- Unusual File Modification by dns.exe
- Unusual Child Process of dns.exe - 8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45
- Unusual File Modification by dns.exe - c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9
### Response and Remediation
- Review and implement the above detection logic within your environment using technology such as Endpoint security, Winlogbeat, Packetbeat, or network security monitoring (NSM) platforms such as Zeek or Suricata.
- Ensure that you have deployed the latest Microsoft [Security Update](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350) (Monthly Rollup or Security Only) and restart the
patched machines. If unable to patch immediately: Microsoft [released](https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability) a registry-based workaround that doesnt require a
restart. This can be used as a temporary solution before the patch is applied.
### Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Ensure that you have deployed the latest Microsoft [Security Update](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350)
(Monthly Rollup or Security Only) and restarted the patched machines. If unable to patch immediately, Microsoft [released](https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability)
a registry-based workaround that doesnt require a restart. This can be used as a temporary solution before the patch is applied.
- Maintain backups of your critical systems to aid in quick recovery.
- Perform routine vulnerability scans of your systems, monitor [CISA advisories](https://us-cert.cisa.gov/ncas/current-activity) and patch identified vulnerabilities.
- If you observe a true positive, implement a remediation plan and monitor host-based artifacts for additional post-exploitation behavior.
"""
references = [
"https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
"https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/",
rules/windows/lateral_movement_scheduled_task_target.toml
+30 -27
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/11/20"
maturity = "production"
updated_date = "2022/01/13"
updated_date = "2022/04/06"
[rule]
author = ["Elastic"]
@@ -13,40 +13,43 @@ license = "Elastic License v2"
name = "Remote Scheduled Task Creation"
note = """## Triage and analysis
### Investigating Creation of Remote Scheduled Tasks
### Investigating Remote Scheduled Task Creation
[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great
mechanism for persistence and program execution. These features can
be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries.
When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the
original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind
of network administrator work. One objective for these alerts is to understand the configured action within the scheduled
task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.
[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism
for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at
the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the
first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to
benign behavior such as software installation or any kind of network administrator work. One objective for these alerts
is to understand the configured action within the scheduled task. This is captured within the registry event data for
this rule and can be base64 decoded to view the value.
#### Possible investigation steps
#### Possible investigation steps:
- Review the base64 encoded tasks actions registry value to investigate the task configured action.
- Determine if task is related to legitimate or benign behavior based on the corresponding process or program tied to the
scheduled task.
- Further examination should include both the source and target machines where host-based artifacts and network logs
should be reviewed further around the time window of the creation of the scheduled task.
- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software
installations.
- Further examination should include review of host-based artifacts and network logs from around when the scheduled task
was created, on both the source and target machines.
### False positive analysis
### False Positive Analysis
- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature
within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to
further understand the source of the activity and determine the intent based on the scheduled task contents.
further understand the source of the activity and determine the intent based on the scheduled task's contents.
### Related Rules
- Service Command Lateral Movement
- Remotely Started Services via RPC
### Related rules
### Response and Remediation
- This behavior represents post-exploitation actions such as persistence or lateral movement, immediately review and
investigate the activity and potentially isolate involved machines to prevent further post-compromise
behavior.
- Remove scheduled task and any other related artifacts to the activity.
- Review privileged account management and user account management settings such as implementing GPO policies to further
restrict activity or configure settings that only allow Administrators to create remote scheduled tasks.
"""
- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc
- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650
### Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved host to prevent further post-compromise behavior.
- Remove scheduled task and any other related artifacts.
- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further
restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.
"""
risk_score = 47
rule_id = "954ee7c8-5437-49ae-b2d6-2960883898e9"
severity = "medium"
rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml
+30 -18
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/03/15"
maturity = "production"
updated_date = "2022/02/28"
updated_date = "2022/04/06"
[rule]
author = ["Elastic"]
@@ -16,36 +16,48 @@ license = "Elastic License v2"
name = "Suspicious Startup Shell Folder Modification"
note = """## Triage and analysis
### Investigating Suspicious Startup Shell Activity
### Investigating Suspicious Startup Shell Folder Modification
Techniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for
persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this
behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for
an attacker.
#### Possible investigation steps:
#### Possible investigation steps
- Investigate the process execution chain (parent process tree).
- Review the source process and related file tied to the Windows Registry entry.
- Validate the activity is not related to planned patches, updates, network administrator activity or legitimate software
installations.
- Determine if activity is unique by validating if other machines in same organization have similar entry.
- Determine if activity is unique by validating if other machines in the same organization have similar entries.
- Retrieve the file and determine if it is malicious:
- Use a private sandboxed malware analysis system to perform analysis.
- Observe and collect information about the following activities:
- Attempts to contact external domains and addresses.
- File and registry access, modification, and creation activities.
- Service creation and launch activities.
- Scheduled tasks creation.
- Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
- Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
### False Positive Analysis
- There is a high possibility of benign legitimate programs being added to Shell folders. This activity could be based
on new software installations, patches, or any kind of network administrator related activity. Before entering further
investigation, it should be verified that this activity is not benign.
### False positive analysis
### Related Rules
- Startup or Run Key Registry Modification
- Persistent Scripts in the Startup Directory
- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based
on new software installations, patches, or other network administrator activity. Before entering further investigation,
it should be verified that this activity is not benign.
### Response and Remediation
- Activity should first be validated as a true positive event if so then take immediate action to review,
investigate and potentially isolate activity to prevent further post-compromise behavior.
- The respective binary or program tied to this persistence method should be further analyzed and reviewed to understand
its behavior and capabilities.
### Related rules
- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f
- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0
### Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved host to prevent further post-compromise behavior.
- Since this activity is considered post-exploitation behavior, it's important to understand how the behavior was first
initialized such as through a macro-enabled document that was attached in a phishing email. By understanding the source
of the attack, this information can then be used to search for similar indicators on other machines in the same environment.
initialized such as through a macro-enabled document that was attached in a phishing email. After understanding the source
of the attack, you can use this information to search for similar indicators on other machines in the same environment.
"""
risk_score = 73
rule_id = "c8b150f0-0164-475b-a75e-74b47800a9ff"
rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
+19 -20
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2022/02/24"
maturity = "production"
updated_date = "2022/03/31"
updated_date = "2022/04/06"
[rule]
author = ["Elastic"]
@@ -18,7 +18,7 @@ index = ["winlogbeat-*", "logs-system.*"]
language = "eql"
license = "Elastic License v2"
name = "AdminSDHolder SDProp Exclusion Added"
note = """## Triage and analysis.
note = """## Triage and analysis
### Investigating AdminSDHolder SDProp Exclusion Added
@@ -33,19 +33,19 @@ Administrators can use the dSHeuristics attribute to exclude privilege groups fr
16th bit (dwAdminSDExMask) of the string to a certain value, which represents the group(s):
* For example, to exclude the Account Operators group, an administrator would modify the string, so the 16th character
is set to 1 (i.e., 0000000001000001).
is set to 1 (i.e., 0000000001000001).
The usage of this exclusion can leave the accounts unprotected and facilitate the misconfigurations of privilege on the
excluded groups, leaving a gap for attackers to add accounts to these groups to maintain long-term persistence with high
The usage of this exclusion can leave the accounts unprotected and facilitate the misconfiguration of privileges for the
excluded groups, enabling attackers to add accounts to these groups to maintain long-term persistence with high
privileges.
This rule will monitor changes on the dsHeuristics object where the 16th bit is set to a value other than zero.
This rule matches changes of the dsHeuristics object where the 16th bit is set to a value other than zero.
#### Possible investigation steps:
#### Possible investigation steps
- Identify the account that performed the action
- Confirm whether the account owner is aware of the operation
- Investigate other alerts related to the user in the last 48 hours.
- Identify the user account that performed the action and whether it should perform this kind of action.
- Contact the account owner and confirm whether they are aware of this activity.
- Investigate other alerts associated with the user/host during the past 48 hours.
- Check the value assigned to the 16th bit of the string on the `winlog.event_data.AttributeValue` field:
- Account Operators eq 1
- Server Operators eq 2
@@ -54,12 +54,12 @@ This rule will monitor changes on the dsHeuristics object where the 16th bit is
The field value can range from 0 to f (15). If more than one group is specified, the values will be summed together;
for example, Backup Operators and Print Operators will set the `c` value on the bit.
### False Positive Analysis
### False positive analysis
- While this modification can be done legitimately, it is not best practice. Any potential B-TP (Benign True Positive)
- While this modification can be done legitimately, it is not best practice. Any potential benign true positive (B-TP)
should be mapped and reviewed by the security team for alternatives as this weakens the security of the privileged group.
### Response and Remediation
### Response and remediation
- The change can be reverted by setting the dwAdminSDExMask (16th bit) to 0 in dSHeuristics.
@@ -70,17 +70,16 @@ Steps to implement the logging policy with Advanced Audit Configuration:
```
Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
Audit Policies >
DS Access >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
Audit Policies >
DS Access >
Audit Directory Service Changes (Success)
```
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
"""
references = [
"https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dsheuristics_bad",
rules/windows/privilege_escalation_installertakeover.toml
+32 -15
View File
@@ -3,7 +3,7 @@ creation_date = "2021/11/25"
maturity = "production"
min_stack_comments = "EQL optional fields syntax was not introduced until 7.16"
min_stack_version = "7.16.0"
updated_date = "2022/04/04"
updated_date = "2022/04/06"
[rule]
author = ["Elastic"]
@@ -16,35 +16,52 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Privilege Escalation via InstallerFileTakeOver"
note = """## Triage and analysis.
note = """## Triage and analysis
### Investigating Potential Priivilege Escalation via InstallerFileTakeOver
### Investigating Potential Privilege Escalation via InstallerFileTakeOver
InstallerFileTakeOver is a weaponized EoP PoC to the CVE-2021-41379 vulnerability. Upon successful exploitation,
an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.
InstallerFileTakeOver is a weaponized escalation of privilege proof of concept (EoP PoC) to the CVE-2021-41379 vulnerability. Upon successful exploitation, an
unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.
This rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself
to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.
to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked),
which is outside the scope of this rule.
#### Possible investigation steps:
- Check for the digital signature of the executable.
- Check the executable's digital signature.
- Look for additional processes spawned by the process, command lines, and network communications.
- Look for additional alerts involving the host and the user.
- Investigate other alerts associated with the user/host during the past 48 hours.
- Check for similar behavior in other hosts in the environment.
- Retrieve the file and determine if it is malicious:
- Use a private sandboxed malware analysis system to perform analysis.
- Observe and collect information about the following activities:
- Attempts to contact external domains and addresses.
- File and registry access, modification, and creation activities.
- Service creation and launch activities.
- Scheduled tasks creation.
- Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
- Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
### False Positive Analysis
### False positive analysis
- Verify whether the digital signature exists in the executable, and if it is valid.
- Verify whether a digital signature exists in the executable, and if it is valid.
### Related Rules
### Related rules
- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee
### Response and Remediation
- Immediate response steps should be taken to validate, investigate, and potentially contain the activity to prevent
further post-compromise behavior.
### Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved host to prevent further post-compromise behavior.
- If the triage identified malware, search the environment for additional compromised hosts.
- Implement any temporary network rules, procedures, and segmentation required to contain the malware.
- Immediately block the identified indicators of compromise (IoCs).
- Remove and block malicious artifacts identified on the triage.
- Disable user accounts ability to log in remotely.
- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
- Determine the initial infection vector.
## Config