[New Rule] Complementary Rules for Recent REvil TTPs (#1329)
* [New Rule] Complementary Rules for Recent REvil TTPs
* added OFN
* relinted and added T1574.002
* removed new line
* Update defense_evasion_disabling_windows_defender_powershell.toml
* corrected rule name
* added a reference url
* Update rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
* Update rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
* Update rules/windows/defense_evasion_execution_windefend_unusual_path.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
* Update rules/windows/defense_evasion_execution_windefend_unusual_path.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
(cherry picked from commit 9fadc4c1dc)
This commit is contained in:
Samirbous
committed by
github-actions[bot]
github-actions[bot]
parent
68e7b6bbe3
commit
dd24dabb0d
@@ -0,0 +1,48 @@
|
||||
[metadata]
|
||||
creation_date = "2021/07/07"
|
||||
maturity = "production"
|
||||
updated_date = "2021/07/07"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = "Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings."
|
||||
false_positives = ["Planned Windows Defender configuration changes."]
|
||||
from = "now-9m"
|
||||
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Disabling Windows Defender Security Settings via PowerShell"
|
||||
references = [
|
||||
"https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps",
|
||||
]
|
||||
risk_score = 47
|
||||
rule_id = "c8cccb06-faf2-4cd5-886e-2c9636cfcb87"
|
||||
severity = "medium"
|
||||
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
process where event.type == "start" and
|
||||
(process.name : ("powershell.exe", "pwsh.exe") or process.pe.original_file_name == "PowerShell.EXE") and
|
||||
process.args : "Set-MpPreference" and process.args : ("-Disable*", "Disabled", "NeverSend", "-Exclusion*")
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1562"
|
||||
reference = "https://attack.mitre.org/techniques/T1562/"
|
||||
name = "Impair Defenses"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1562.001"
|
||||
reference = "https://attack.mitre.org/techniques/T1562/001/"
|
||||
name = "Disable or Modify Tools"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
reference = "https://attack.mitre.org/tactics/TA0005/"
|
||||
name = "Defense Evasion"
|
||||
@@ -0,0 +1,48 @@
|
||||
[metadata]
|
||||
creation_date = "2021/07/07"
|
||||
maturity = "production"
|
||||
updated_date = "2021/07/07"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to
|
||||
weaken the host firewall settings.
|
||||
"""
|
||||
false_positives = ["Host Windows Firewall planned system administration changes."]
|
||||
from = "now-9m"
|
||||
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Enable Host Network Discovery via Netsh"
|
||||
risk_score = 47
|
||||
rule_id = "8b4f0816-6a65-4630-86a6-c21c179c0d09"
|
||||
severity = "medium"
|
||||
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
process where event.type == "start" and
|
||||
process.name : "netsh.exe" and
|
||||
process.args : ("firewall", "advfirewall") and process.args : "group=Network Discovery" and process.args : "enable=Yes"
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
reference = "https://attack.mitre.org/techniques/T1562/"
|
||||
id = "T1562"
|
||||
name = "Impair Defenses"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
reference = "https://attack.mitre.org/techniques/T1562/001/"
|
||||
id = "T1562.001"
|
||||
name = "Disable or Modify Tools"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
reference = "https://attack.mitre.org/tactics/TA0005/"
|
||||
id = "TA0005"
|
||||
name = "Defense Evasion"
|
||||
@@ -0,0 +1,54 @@
|
||||
[metadata]
|
||||
creation_date = "2021/07/07"
|
||||
maturity = "production"
|
||||
updated_date = "2021/07/07"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking
|
||||
starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade
|
||||
defenses via side-loading a malicious DLL within the memory space of one of those processes.
|
||||
"""
|
||||
false_positives = ["Microsoft Antimalware Service Executable installed on non default installation path."]
|
||||
from = "now-9m"
|
||||
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Potential DLL Side-Loading via Microsoft Antimalware Service Executable"
|
||||
references = [
|
||||
"https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/",
|
||||
]
|
||||
risk_score = 73
|
||||
rule_id = "053a0387-f3b5-4ba5-8245-8002cca2bd08"
|
||||
severity = "high"
|
||||
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
process where event.type == "start" and
|
||||
(process.pe.original_file_name == "MsMpEng.exe" and not process.name : "MsMpEng.exe") or
|
||||
(process.name : "MsMpEng.exe" and not
|
||||
process.executable : ("?:\\ProgramData\\Microsoft\\Windows Defender\\*.exe",
|
||||
"?:\\Program Files\\Windows Defender\\*.exe",
|
||||
"?:\\Program Files (x86)\\Windows Defender\\*.exe"))
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1574"
|
||||
name = "Hijack Execution Flow"
|
||||
reference = "https://attack.mitre.org/techniques/T1574/"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1574.002"
|
||||
name = "DLL Side-Loading"
|
||||
reference = "https://attack.mitre.org/techniques/T1574/002/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
name = "Defense Evasion"
|
||||
reference = "https://attack.mitre.org/tactics/TA0005/"
|
||||
id = "TA0005"
|
||||
Reference in New Issue
Block a user