From d5dddae0ef751e59e0003fcddb1101304ee8feb8 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Fri, 30 Jun 2023 10:56:13 -0300 Subject: [PATCH] [Rule Tuning] Suspicious PowerShell Engine ImageLoad (#2721) * [Rule Tuning] Suspicious PowerShell Engine ImageLoad * Update rules/windows/execution_suspicious_powershell_imgload.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --- ...ecution_suspicious_powershell_imgload.toml | 108 +++++------------- 1 file changed, 29 insertions(+), 79 deletions(-) diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index 6e3857ef8..fd2f5b7eb 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/17" -integration = ["endpoint", "windows"] +integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/06/29" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies the PowerShell engine being invoked by unexpected processes. Rather t with powershell.exe, some attackers do this to operate more stealthily. """ from = "now-9m" -index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"] +index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Suspicious PowerShell Engine ImageLoad" @@ -59,28 +59,6 @@ Attackers can use PowerShell without having to execute `PowerShell.exe` directly - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - -## Setup - -The 'PowerShell Script Block Logging' logging policy must be enabled. -Steps to implement the logging policy with with Advanced Audit Configuration: - -``` -Computer Configuration > -Administrative Templates > -Windows PowerShell > -Turn on PowerShell Script Block Logging (Enable) -``` - -Steps to implement the logging policy via registry: - -``` -reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 -``` - -## Setup - -If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ risk_score = 47 rule_id = "852c1f19-68e8-43a6-9dce-340771fe1be3" @@ -90,64 +68,36 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -any where host.os.type == "windows" and (event.category : ("library", "driver") or (event.category == "process" and event.action : "Image loaded*")) and - (dll.name : ("System.Management.Automation.ni.dll", "System.Management.Automation.dll") or - file.name : ("System.Management.Automation.ni.dll", "System.Management.Automation.dll")) and - -/* add false positives relevant to your environment here */ -not process.executable : ("C:\\Windows\\System32\\RemoteFXvGPUDisablement.exe", "C:\\Windows\\System32\\sdiagnhost.exe") and -not process.executable regex~ """C:\\Program Files( \(x86\))?\\*\.exe""" and - not process.name : +library where host.os.type == "windows" and + dll.name : ("System.Management.Automation.ni.dll", "System.Management.Automation.dll") and + not ( - "Altaro.SubAgent.exe", - "AppV_Manage.exe", - "azureadconnect.exe", - "CcmExec.exe", - "configsyncrun.exe", - "choco.exe", - "ctxappvservice.exe", - "DVLS.Console.exe", - "edgetransport.exe", - "exsetup.exe", - "forefrontactivedirectoryconnector.exe", - "InstallUtil.exe", - "JenkinsOnDesktop.exe", - "Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe", - "mmc.exe", - "mscorsvw.exe", - "msexchangedelivery.exe", - "msexchangefrontendtransport.exe", - "msexchangehmworker.exe", - "msexchangesubmission.exe", - "msiexec.exe", - "MsiExec.exe", - "noderunner.exe", - "NServiceBus.Host.exe", - "NServiceBus.Host32.exe", - "NServiceBus.Hosting.Azure.HostProcess.exe", - "OuiGui.WPF.exe", - "powershell.exe", - "powershell_ise.exe", - "pwsh.exe", - "SCCMCliCtrWPF.exe", - "ScriptEditor.exe", - "ScriptRunner.exe", - "sdiagnhost.exe", - "servermanager.exe", - "setup100.exe", - "ServiceHub.VSDetouredHost.exe", - "SPCAF.Client.exe", - "SPCAF.SettingsEditor.exe", - "SQLPS.exe", - "Ssms.exe", - "telemetryservice.exe", - "UMWorkerProcess.exe", - "w3wp.exe", - "wsmprovhost.exe" + /* MS Signed Binaries */ + ( + process.code_signature.subject_name : ( + "Microsoft Windows", + "Microsoft Dynamic Code Publisher", + "Microsoft Corporation" + ) and process.code_signature.trusted == true and not process.name : ("rundll32.exe", "regsvr32.exe") + ) or + + /* Signed Executables from the Program Files folder */ + ( + process.executable : ( + "?:\\Program Files (x86)\\*.exe", + "?:\\Program Files\\*.exe" + ) and process.code_signature.trusted == true + ) or + + /* Lenovo */ + ( + process.executable : ( + "?:\\Windows\\Lenovo\\*.exe" + ) and (process.code_signature.subject_name : "Lenovo" and process.code_signature.trusted == true) + ) ) ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]]