From ccea74d9d8b4b0207af03d6a40ae5dc6a2dd1cd4 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Tue, 8 Dec 2020 17:16:10 +0100 Subject: [PATCH] [New Rule] Incoming Execution via PowerShell Remoting (#624) * [New Rule] Incoming Execution via PowerShell Remoting * eql syntax * Update rules/windows/lateral_movement_powershell_remoting_target.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/lateral_movement_powershell_remoting_target.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * ecs_version * Update rules/windows/lateral_movement_powershell_remoting_target.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> --- ...l_movement_powershell_remoting_target.toml | 47 +++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 rules/windows/lateral_movement_powershell_remoting_target.toml diff --git a/rules/windows/lateral_movement_powershell_remoting_target.toml b/rules/windows/lateral_movement_powershell_remoting_target.toml new file mode 100644 index 000000000..b48cac213 --- /dev/null +++ b/rules/windows/lateral_movement_powershell_remoting_target.toml @@ -0,0 +1,47 @@ +[metadata] +creation_date = "2020/11/24" +maturity = "production" +updated_date = "2020/11/24" + +[rule] +author = ["Elastic"] +description = "Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows for running any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement." +false_positives = [ + """ + PowerShell remoting is a dual-use protocol that can be used for benign or malicious activity. It's important to + baseline your environment to determine the amount of noise to expect from this tool. + """, +] +from = "now-9m" +index = ["winlogbeat-*", "logs-endpoint.events.*"] +language = "eql" +license = "Elastic License" +name = "Incoming Execution via PowerShell Remoting" +references = ["https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1"] +risk_score = 43 +rule_id = "2772264c-6fb9-4d9d-9014-b416eed21254" +severity = "medium" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"] +type = "eql" + +query = ''' +sequence by host.id with maxspan = 30s + [network where network.direction == "incoming" and destination.port in (5985, 5986) and + network.protocol == "http" and source.address != "127.0.0.1" and source.address != "::1" + ] + [process where event.type == "start" and process.parent.name : "wsmprovhost.exe" and not process.name : "conhost.exe"] +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/"