From cccd91bc1a1f5fb4c8df579607f614020d3c5616 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Tue, 29 Sep 2020 18:53:05 +0200 Subject: [PATCH] [New Rule] - Persistence via Update Orchestrator Service Hijack (#152) * [New Rule] - Persistence via Update Orchestrator Service Hijack * Update persistence_via_update_orchestrator_service_hijack.toml * Update rules/windows/persistence_via_update_orchestrator_service_hijack.toml Co-authored-by: Justin Ibarra * Update rules/windows/persistence_via_update_orchestrator_service_hijack.toml Co-authored-by: Justin Ibarra * Update rules/windows/persistence_via_update_orchestrator_service_hijack.toml Co-authored-by: Justin Ibarra * Update rules/windows/persistence_via_update_orchestrator_service_hijack.toml Co-authored-by: Justin Ibarra * Update rules/windows/persistence_via_update_orchestrator_service_hijack.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> --- ...ia_update_orchestrator_service_hijack.toml | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 rules/windows/persistence_via_update_orchestrator_service_hijack.toml diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml new file mode 100644 index 000000000..6c3dc345f --- /dev/null +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -0,0 +1,44 @@ +[metadata] +creation_date = "2020/08/17" +ecs_version = ["1.6.0"] +maturity = "production" +updated_date = "2020/08/17" + +[rule] +author = ["Elastic"] +description = """ +Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of +SYSTEM. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-endpoint.events.*"] +language = "kuery" +license = "Elastic License" +name = "Persistence via Update Orchestrator Service Hijack" +references = ["https://github.com/irsl/CVE-2020-1313"] +risk_score = 73 +rule_id = "265db8f5-fc73-4d0d-b434-6483b56372e2" +severity = "high" +tags = ["Elastic", "Windows"] +type = "query" + +query = ''' +event.category:process and event.type:(start or process_started) and + process.parent.name:svchost.exe and + process.parent.args:(UsoSvc or usosvc) and + not process.name:(UsoClient.exe or usoclient.exe or MusNotification.exe or musnotification.exe or MusNotificationUx.exe or musnotificationux.exe) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1050" +name = "New Service" +reference = "https://attack.mitre.org/techniques/T1050/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/"