diff --git a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml new file mode 100644 index 000000000..8ee7bf2cb --- /dev/null +++ b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml @@ -0,0 +1,48 @@ +[metadata] +creation_date = "2021/07/07" +maturity = "production" +updated_date = "2021/07/07" + +[rule] +author = ["Elastic"] +description = "Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings." +false_positives = ["Planned Windows Defender configuration changes."] +from = "now-9m" +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +language = "eql" +license = "Elastic License v2" +name = "Disabling Windows Defender Security Settings via PowerShell" +references = [ + "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps", +] +risk_score = 47 +rule_id = "c8cccb06-faf2-4cd5-886e-2c9636cfcb87" +severity = "medium" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where event.type == "start" and + (process.name : ("powershell.exe", "pwsh.exe") or process.pe.original_file_name == "PowerShell.EXE") and + process.args : "Set-MpPreference" and process.args : ("-Disable*", "Disabled", "NeverSend", "-Exclusion*") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1562" +reference = "https://attack.mitre.org/techniques/T1562/" +name = "Impair Defenses" +[[rule.threat.technique.subtechnique]] +id = "T1562.001" +reference = "https://attack.mitre.org/techniques/T1562/001/" +name = "Disable or Modify Tools" + + + +[rule.threat.tactic] +id = "TA0005" +reference = "https://attack.mitre.org/tactics/TA0005/" +name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml new file mode 100644 index 000000000..47bd73bc3 --- /dev/null +++ b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml @@ -0,0 +1,48 @@ +[metadata] +creation_date = "2021/07/07" +maturity = "production" +updated_date = "2021/07/07" + +[rule] +author = ["Elastic"] +description = """ +Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to +weaken the host firewall settings. +""" +false_positives = ["Host Windows Firewall planned system administration changes."] +from = "now-9m" +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +language = "eql" +license = "Elastic License v2" +name = "Enable Host Network Discovery via Netsh" +risk_score = 47 +rule_id = "8b4f0816-6a65-4630-86a6-c21c179c0d09" +severity = "medium" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where event.type == "start" and +process.name : "netsh.exe" and +process.args : ("firewall", "advfirewall") and process.args : "group=Network Discovery" and process.args : "enable=Yes" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +reference = "https://attack.mitre.org/techniques/T1562/" +id = "T1562" +name = "Impair Defenses" +[[rule.threat.technique.subtechnique]] +reference = "https://attack.mitre.org/techniques/T1562/001/" +id = "T1562.001" +name = "Disable or Modify Tools" + + + +[rule.threat.tactic] +reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0005" +name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml new file mode 100644 index 000000000..cbafe1dea --- /dev/null +++ b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml @@ -0,0 +1,54 @@ +[metadata] +creation_date = "2021/07/07" +maturity = "production" +updated_date = "2021/07/07" + +[rule] +author = ["Elastic"] +description = """ +Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking +starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade +defenses via side-loading a malicious DLL within the memory space of one of those processes. +""" +false_positives = ["Microsoft Antimalware Service Executable installed on non default installation path."] +from = "now-9m" +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential DLL Side-Loading via Microsoft Antimalware Service Executable" +references = [ + "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/", +] +risk_score = 73 +rule_id = "053a0387-f3b5-4ba5-8245-8002cca2bd08" +severity = "high" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where event.type == "start" and + (process.pe.original_file_name == "MsMpEng.exe" and not process.name : "MsMpEng.exe") or + (process.name : "MsMpEng.exe" and not + process.executable : ("?:\\ProgramData\\Microsoft\\Windows Defender\\*.exe", + "?:\\Program Files\\Windows Defender\\*.exe", + "?:\\Program Files (x86)\\Windows Defender\\*.exe")) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" +[[rule.threat.technique.subtechnique]] +id = "T1574.002" +name = "DLL Side-Loading" +reference = "https://attack.mitre.org/techniques/T1574/002/" + + +[rule.threat.tactic] +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0005"