From dec4243db00ce024073a87efdb0244d05c88cba6 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Wed, 16 Feb 2022 13:42:06 -0300 Subject: [PATCH] [Rule Tuning] Update rules based on docs review (#1778) * Update rules based on docs review * trivial change to trigger CLA * undo changes from triggering build Co-authored-by: Justin Ibarra --- ..._evasion_agent_spoofing_mismatched_id.toml | 4 ++-- ...evasion_agent_spoofing_multiple_hosts.toml | 4 ++-- .../threat_intel_filebeat8x.toml | 10 ++++---- .../threat_intel_fleet_integrations.toml | 12 +++++----- ...ense_evasion_suppression_rule_created.toml | 4 ++-- ...p_virtual_private_cloud_route_created.toml | 10 ++++---- ...oft_365_mailboxauditbypassassociation.toml | 4 ++-- .../collection_posh_audio_capture.toml | 6 ++--- rules/windows/collection_posh_keylogger.toml | 12 +++++----- .../collection_posh_screen_grabber.toml | 6 ++--- ..._access_kerberoasting_unusual_process.toml | 4 ++-- .../credential_access_posh_minidump.toml | 8 +++---- ...l_access_suspicious_comsvcs_imageload.toml | 4 ++-- ...ccess_suspicious_lsass_access_memdump.toml | 4 ++-- ..._suspicious_lsass_access_via_snapshot.toml | 6 ++--- ..._symbolic_link_to_shadow_copy_created.toml | 7 +++--- .../defense_evasion_posh_assembly_load.toml | 6 ++--- .../defense_evasion_posh_compressed.toml | 8 +++---- ...efense_evasion_posh_process_injection.toml | 10 ++++---- ..._powershell_windows_firewall_disabled.toml | 8 +++---- ...scovery_posh_suspicious_api_functions.toml | 8 +++---- ...very_privileged_localgroup_membership.toml | 4 ++-- .../execution_posh_portable_executable.toml | 8 +++---- rules/windows/execution_posh_psreflect.toml | 8 +++---- ...ege_escalation_group_policy_iniscript.toml | 8 +++---- ...lation_group_policy_privileged_groups.toml | 24 +++++++++---------- ...scalation_group_policy_scheduled_task.toml | 17 ++++++------- ...rivilege_escalation_installertakeover.toml | 10 ++++---- 28 files changed, 113 insertions(+), 111 deletions(-) diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml index f6b7e2785..fd1d03bc8 100644 --- a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml +++ b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/07/14" maturity = "production" -updated_date = "2021/07/14" +updated_date = "2022/02/16" min_stack_comments = "The field `event.agent_id_status` was not introduced until 7.14" min_stack_version = "7.15.0" @@ -13,7 +13,7 @@ indicate attempts to spoof events in order to masquerade actual activity to evad """ false_positives = [ """ - This is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the + This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the necessary field, resulting in false positives. """, ] diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml index 55a25f391..0a0955aaa 100644 --- a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml +++ b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/07/14" maturity = "production" -updated_date = "2021/07/14" +updated_date = "2022/02/16" min_stack_comments = "The field `event.agent_id_status` was not introduced until 7.14" min_stack_version = "7.15.0" @@ -13,7 +13,7 @@ masquerade actual activity to evade detection. """ false_positives = [ """ - This is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the + This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the necessary field, resulting in false positives. """, ] diff --git a/rules/cross-platform/threat_intel_filebeat8x.toml b/rules/cross-platform/threat_intel_filebeat8x.toml index dda36e752..ed24a7bc3 100644 --- a/rules/cross-platform/threat_intel_filebeat8x.toml +++ b/rules/cross-platform/threat_intel_filebeat8x.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/11/24" maturity = "production" -updated_date = "2022/02/10" +updated_date = "2022/02/16" min_stack_comments = "Threat index is ECS 1.11 compliant (8.0)." min_stack_version = "8.0" @@ -35,18 +35,18 @@ If an indicator matches a local observation, the following enriched fields will #### Possible investigation steps: - Investigation should be validated and reviewed based on the data (file hash, registry path, URL, imphash) that was matched -and viewing the source of that activity. +and by viewing the source of that activity. - Consider the history of the indicator that was matched. Has it happened before? Is it happening on multiple machines? These kinds of questions can help understand if the activity is related to legitimate behavior. -- Consider the user and their role within the company, is this something related to their job or work function? +- Consider the user and their role within the company: is this something related to their job or work function? ### False Positive Analysis - For any matches found, it's important to consider the initial release date of that indicator. Threat intelligence can be a great tool for augmenting existing security processes, while at the same time it should be understood that threat intelligence can represent a specific set of activity observed at a point in time. For example, an IP address -may have hosted malware observed in a Dridex campaign month ago, but it's possible that IP has been remediated and +may have hosted malware observed in a Dridex campaign months ago, but it's possible that IP has been remediated and no longer represents any threat. -- Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`, these tools often find their +- Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`; these tools often find their way into indicator lists creating the potential for false positives. - It's possible after large and publicly written campaigns, curious employees might end up going directly to attacker infrastructure and triggering these rules. diff --git a/rules/cross-platform/threat_intel_fleet_integrations.toml b/rules/cross-platform/threat_intel_fleet_integrations.toml index 165cfd605..5b88f36a1 100644 --- a/rules/cross-platform/threat_intel_fleet_integrations.toml +++ b/rules/cross-platform/threat_intel_fleet_integrations.toml @@ -1,14 +1,14 @@ [metadata] creation_date = "2021/04/21" maturity = "production" -updated_date = "2022/01/26" +updated_date = "2022/02/16" min_stack_comments = "Threat intel module fields were updated from `threatintel.*` to `threat.*` in ECS 1.11 (7.16)." min_stack_version = "8.0" [rule] author = ["Elastic"] description = """ -This rule is triggered when indicators from the Threat Intel integrations has a match against local file or network observations. +This rule is triggered when indicators from the Threat Intel integrations have a match against local file or network observations. """ from = "now-65m" index = ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"] @@ -35,18 +35,18 @@ If an indicator matches a local observation, the following enriched fields will #### Possible investigation steps: - Investigation should be validated and reviewed based on the data (file hash, registry path, URL, imphash) that was matched -and viewing the source of that activity. +and by viewing the source of that activity. - Consider the history of the indicator that was matched. Has it happened before? Is it happening on multiple machines? These kinds of questions can help understand if the activity is related to legitimate behavior. -- Consider the user and their role within the company, is this something related to their job or work function? +- Consider the user and their role within the company: is this something related to their job or work function? ### False Positive Analysis - For any matches found, it's important to consider the initial release date of that indicator. Threat intelligence can be a great tool for augmenting existing security processes, while at the same time it should be understood that threat intelligence can represent a specific set of activity observed at a point in time. For example, an IP address -may have hosted malware observed in a Dridex campaign month ago, but it's possible that IP has been remediated and +may have hosted malware observed in a Dridex campaign months ago, but it's possible that IP has been remediated and no longer represents any threat. -- Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`, these tools often find their +- Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`; these tools often find their way into indicator lists creating the potential for false positives. - It's possible after large and publicly written campaigns, curious employees might end up going directly to attacker infrastructure and triggering these rules. diff --git a/rules/integrations/azure/defense_evasion_suppression_rule_created.toml b/rules/integrations/azure/defense_evasion_suppression_rule_created.toml index f03f20c54..4e9991d87 100644 --- a/rules/integrations/azure/defense_evasion_suppression_rule_created.toml +++ b/rules/integrations/azure/defense_evasion_suppression_rule_created.toml @@ -1,14 +1,14 @@ [metadata] creation_date = "2021/08/27" maturity = "production" -updated_date = "2021/12/14" +updated_date = "2022/02/16" integration = "azure" [rule] author = ["Austin Songer"] description = """ Identifies the creation of suppression rules in Azure. Suppression rules are a mechanism used to suppress alerts -previously identified as False Positives or too noisy to be in Production. This mechanism can be abused or mistakenly +previously identified as false positives or too noisy to be in production. This mechanism can be abused or mistakenly configured, resulting in defense evasions and loss of security visibility. """ false_positives = [ diff --git a/rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_created.toml b/rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_created.toml index d37ca04ff..bf101495f 100644 --- a/rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_created.toml +++ b/rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_created.toml @@ -1,16 +1,16 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/02/16" integration = "gcp" [rule] author = ["Elastic"] description = """ -Identifies when a Virtual Private Cloud a virtual private cloud (VPC) route is created in Google Cloud Platform (GCP). -Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other -destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in -order to impact the flow of network traffic in their target's cloud environment. +Identifies when a virtual private cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes +define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These +destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the +flow of network traffic in their target's cloud environment. """ false_positives = [ """ diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml b/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml index 4d2897919..e7c2d01fa 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml @@ -2,7 +2,7 @@ creation_date = "2022/01/13" integration = "o365" maturity = "production" -updated_date = "2022/01/13" +updated_date = "2022/02/16" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ administrators can create bypass associations, allowing certain accounts to perf Attackers can abuse this allowlist mechanism to conceal actions taken, as the mailbox audit will log no activity done by the account. """ -false_positives = ["Legitimate whitelisting of noisy accounts"] +false_positives = ["Legitimate allowlisting of noisy accounts"] from = "now-30m" index = ["filebeat-*", "logs-o365*"] language = "kuery" diff --git a/rules/windows/collection_posh_audio_capture.toml b/rules/windows/collection_posh_audio_capture.toml index 2209bbb9e..916918b39 100644 --- a/rules/windows/collection_posh_audio_capture.toml +++ b/rules/windows/collection_posh_audio_capture.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/19" maturity = "production" -updated_date = "2021/11/30" +updated_date = "2022/02/16" [rule] author = ["Elastic"] @@ -25,8 +25,8 @@ computer. #### Possible investigation steps: - Examine script content that triggered the detection. -- Investigate script execution chain (parent process tree) -- Inspect any file or network events from the suspicious powershell host process instance. +- Investigate script execution chain (parent process tree). +- Inspect any file or network events from the suspicious PowerShell host process instance. - If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours. ### False Positive Analysis diff --git a/rules/windows/collection_posh_keylogger.toml b/rules/windows/collection_posh_keylogger.toml index e73e32559..edcd15b7d 100644 --- a/rules/windows/collection_posh_keylogger.toml +++ b/rules/windows/collection_posh_keylogger.toml @@ -1,12 +1,12 @@ [metadata] creation_date = "2021/10/15" maturity = "production" -updated_date = "2021/11/30" +updated_date = "2022/02/16" [rule] author = ["Elastic"] description = """ -Detects the use of Win32 API Functions that can be used to capture user Keystrokes in PowerShell Scripts. +Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data. """ from = "now-9m" @@ -20,14 +20,14 @@ note = """## Triage and analysis. PowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks. -Attackers can abuse PowerShell capabilities to capture user Keystrokes with the goal of stealing credentials and other -valuable information as Credit Card data and confidential conversations. +Attackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other +valuable information as credit card data and confidential conversations. #### Possible investigation steps: - Examine script content that triggered the detection. -- Investigate script execution chain (parent process tree) -- Inspect any file or network events from the suspicious powershell host process instance. +- Investigate script execution chain (parent process tree). +- Inspect any file or network events from the suspicious PowerShell host process instance. - If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours. ### False Positive Analysis diff --git a/rules/windows/collection_posh_screen_grabber.toml b/rules/windows/collection_posh_screen_grabber.toml index dd79a65c8..cf3c3bf41 100644 --- a/rules/windows/collection_posh_screen_grabber.toml +++ b/rules/windows/collection_posh_screen_grabber.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2021/10/19" maturity = "production" -updated_date = "2021/10/19" +updated_date = "2022/02/16" [rule] author = ["Elastic"] description = """ -Detects PowerShell Scripts that can take screenshots, which is a common feature in post-exploitation kits and RATs -(Remote Access Tools). +Detects PowerShell scripts that can take screenshots, which is a common feature in post-exploitation kits and remote +access tools (RATs). """ from = "now-9m" index = ["winlogbeat-*", "logs-windows.*"] diff --git a/rules/windows/credential_access_kerberoasting_unusual_process.toml b/rules/windows/credential_access_kerberoasting_unusual_process.toml index 26bab7240..3c5f7c183 100644 --- a/rules/windows/credential_access_kerberoasting_unusual_process.toml +++ b/rules/windows/credential_access_kerberoasting_unusual_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/02" maturity = "production" -updated_date = "2021/10/13" +updated_date = "2022/02/16" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ query = ''' network where event.type == "start" and network.direction : ("outgoing", "egress") and destination.port == 88 and source.port >= 49152 and process.executable != "C:\\Windows\\System32\\lsass.exe" and destination.address !="127.0.0.1" and destination.address !="::1" and - /* insert False Positives here */ + /* insert false positives here */ not process.name in ("swi_fc.exe", "fsIPcam.exe", "IPCamera.exe", "MicrosoftEdgeCP.exe", "MicrosoftEdge.exe", "iexplore.exe", "chrome.exe", "msedge.exe", "opera.exe", "firefox.exe") ''' diff --git a/rules/windows/credential_access_posh_minidump.toml b/rules/windows/credential_access_posh_minidump.toml index db01f57fa..7d64bfb03 100644 --- a/rules/windows/credential_access_posh_minidump.toml +++ b/rules/windows/credential_access_posh_minidump.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/05" maturity = "production" -updated_date = "2021/11/30" +updated_date = "2022/02/16" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = """ This rule detects PowerShell scripts capable of dumping process memory using WindowsErrorReporting or Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials. """ -false_positives = ["Powershell Scripts that use this capability for troubleshooting."] +false_positives = ["PowerShell scripts that use this capability for troubleshooting."] from = "now-9m" index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" @@ -27,8 +27,8 @@ information stored in the process memory. #### Possible investigation steps: - Examine script content that triggered the detection. -- Investigate script execution chain (parent process tree) -- Inspect any file or network events from the suspicious powershell host process instance. +- Investigate script execution chain (parent process tree). +- Inspect any file or network events from the suspicious PowerShell host process instance. - If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours. ### False Positive Analysis diff --git a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml index 7a95379a1..9c78e2c18 100644 --- a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml +++ b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml @@ -1,6 +1,6 @@ [metadata] creation_date = "2021/10/17" -updated_date = "2021/10/17" +updated_date = "2022/02/16" maturity = "production" @@ -8,7 +8,7 @@ maturity = "production" author = ["Elastic"] description = """ Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a -process memory. This may indicate an attempt to dump LSASS memory while bypassing command line based detection in +process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in preparation for credential access. """ from = "now-9m" diff --git a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml index e3177d515..80b7973c1 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2021/10/07" maturity = "production" -updated_date = "2022/01/24" +updated_date = "2022/02/16" [rule] author = ["Elastic"] description = """ Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export -the MiniDumpWriteDump method that can be used to dump LSASS memory content in preperation for credential access. +the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access. """ from = "now-9m" index = ["winlogbeat-*", "logs-windows.*"] diff --git a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml index b9d5033ac..5d89d464d 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml @@ -1,6 +1,6 @@ [metadata] creation_date = "2021/10/14" -updated_date = "2021/10/14" +updated_date = "2022/02/16" maturity = "production" min_stack_version = "7.14.0" min_stack_comments = "Cardinality field not added to threshold rule type until 7.14." @@ -9,7 +9,7 @@ min_stack_comments = "Cardinality field not added to threshold rule type until 7 [rule] author = ["Elastic"] description = """ -Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process access are performed +Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and targeting two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access. """ @@ -20,7 +20,7 @@ license = "Elastic License v2" name = "Potential LSASS Memory Dump via PssCaptureSnapShot" note = """## Config -This is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the threshold +This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold rule cardinality feature.""" references = [ "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", diff --git a/rules/windows/credential_access_symbolic_link_to_shadow_copy_createdcredential_access_symbolic_link_to_shadow_copy_created.toml b/rules/windows/credential_access_symbolic_link_to_shadow_copy_createdcredential_access_symbolic_link_to_shadow_copy_created.toml index ce6f4fdfe..81909a6d7 100644 --- a/rules/windows/credential_access_symbolic_link_to_shadow_copy_createdcredential_access_symbolic_link_to_shadow_copy_created.toml +++ b/rules/windows/credential_access_symbolic_link_to_shadow_copy_createdcredential_access_symbolic_link_to_shadow_copy_created.toml @@ -1,14 +1,15 @@ [metadata] creation_date = "2021/12/25" maturity = "production" -updated_date = "2021/12/31" +updated_date = "2022/02/16" [rule] author = ["Austin Songer"] description = """ -Identifies the creation of symbolic links to a shadow copy. Symbolic Links can be used to access files in the shadow copy, including sensitive files that may contain credential information. +Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow +copy, including sensitive files that may contain credential information. """ -false_positives = ["Legitimate administrative activity related to shadow copies"] +false_positives = ["Legitimate administrative activity related to shadow copies."] from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" diff --git a/rules/windows/defense_evasion_posh_assembly_load.toml b/rules/windows/defense_evasion_posh_assembly_load.toml index 79b61eb00..b1b9724b2 100644 --- a/rules/windows/defense_evasion_posh_assembly_load.toml +++ b/rules/windows/defense_evasion_posh_assembly_load.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2021/10/15" maturity = "production" -updated_date = "2021/10/15" +updated_date = "2022/02/16" [rule] author = ["Elastic"] description = """ -This rule detects the use of Reflection.Assembly to load PEs and DLLs in memory in Powershell Scripts. Attackers use -this method to load executables and DLLs without writing to the disk, bypassing security solutions. +Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method +to load executables and DLLs without writing to the disk, bypassing security solutions. """ from = "now-9m" index = ["winlogbeat-*", "logs-windows.*"] diff --git a/rules/windows/defense_evasion_posh_compressed.toml b/rules/windows/defense_evasion_posh_compressed.toml index 384240a4d..6935aa448 100644 --- a/rules/windows/defense_evasion_posh_compressed.toml +++ b/rules/windows/defense_evasion_posh_compressed.toml @@ -1,15 +1,15 @@ [metadata] creation_date = "2021/10/19" maturity = "production" -updated_date = "2021/10/19" +updated_date = "2022/02/16" [rule] author = ["Elastic"] description = """ -Identifies the use of .Net functionality for decompression and base64 decoding combined in PowerShell scripts, which Malware and security tools -heavily use to deobfuscate payloads and load them directly in memory to bypass defenses. +Identifies the use of .NET functionality for decompression and base64 decoding combined in PowerShell scripts, which +malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses. """ -false_positives = ["Legitimate PowerShell Scripts which makes use of compression and encoding"] +false_positives = ["Legitimate PowerShell Scripts which makes use of compression and encoding."] from = "now-9m" index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" diff --git a/rules/windows/defense_evasion_posh_process_injection.toml b/rules/windows/defense_evasion_posh_process_injection.toml index 7ad1f4905..31af43230 100644 --- a/rules/windows/defense_evasion_posh_process_injection.toml +++ b/rules/windows/defense_evasion_posh_process_injection.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/14" maturity = "production" -updated_date = "2021/11/30" +updated_date = "2022/02/16" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = """ Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes. """ -false_positives = ["Legitimate Powershell Scripts that make use of these Functions"] +false_positives = ["Legitimate PowerShell scripts that make use of these functions."] from = "now-9m" index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" @@ -24,14 +24,14 @@ PowerShell is one of the main tools used by system administrators for automation PowerShell also has solid capabilities to make the interaction with the Win32 API in an uncomplicated and reliable way, like the execution of inline C# code, PSReflect, Get-ProcAddress, etc. -Red Team tooling and Malware Developers take advantage of these capabilities to develop stagers and loaders that inject +Red Team tooling and malware developers take advantage of these capabilities to develop stagers and loaders that inject payloads directly into the memory, without touching the disk. #### Possible investigation steps: - Examine script content that triggered the detection. -- Investigate script execution chain (parent process tree) -- Inspect any file or network events from the suspicious powershell host process instance. +- Investigate script execution chain (parent process tree). +- Inspect any file or network events from the suspicious PowerShell host process instance. - If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours. ### False Positive Analysis diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml index 725c11f15..44c889227 100644 --- a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/15" maturity = "production" -updated_date = "2021/11/24" +updated_date = "2022/02/16" [rule] @@ -12,9 +12,9 @@ constraints, like internet and network lateral communication restrictions. """ false_positives = [ """ - Windows Firewall can be disabled may be performed by a system administrator. Verify whether the user identity, - user agent, and/or hostname should be making changes in your environment. Windows Profile being disabled by - unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + Windows Firewall can be disabled by a system administrator. Verify whether the user identity, user agent, and/or + hostname should be making changes in your environment. Windows Profile being disabled by unfamiliar users should be + investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] from = "now-9m" diff --git a/rules/windows/discovery_posh_suspicious_api_functions.toml b/rules/windows/discovery_posh_suspicious_api_functions.toml index d896a875b..b1336bebf 100644 --- a/rules/windows/discovery_posh_suspicious_api_functions.toml +++ b/rules/windows/discovery_posh_suspicious_api_functions.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/13" maturity = "production" -updated_date = "2021/11/30" +updated_date = "2022/02/16" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ This rule detects the use of discovery-related Windows API functions in PowerShe functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc. """ -false_positives = ["Legitimate Powershell Scripts that make use of these Functions"] +false_positives = ["Legitimate PowerShell scripts that make use of these functions."] from = "now-9m" index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" @@ -22,14 +22,14 @@ note = """## Triage and analysis. PowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks. -Attackers can use PowerShell to interact with the Win32 API to bypass file based AntiVirus detections, using libraries +Attackers can use PowerShell to interact with the Win32 API to bypass file based antivirus detections, using libraries like PSReflect or Get-ProcAddress Cmdlet. #### Possible investigation steps: - Examine script content that triggered the detection. - Investigate script execution chain (parent process tree). -- Inspect any file or network events from the suspicious powershell host process instance. +- Inspect any file or network events from the suspicious PowerShell host process instance. - If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours. ### False Positive Analysis diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml index f610729a3..f90b72728 100644 --- a/rules/windows/discovery_privileged_localgroup_membership.toml +++ b/rules/windows/discovery_privileged_localgroup_membership.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/15" maturity = "production" -updated_date = "2021/10/15" +updated_date = "2022/02/16" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ license = "Elastic License v2" name = "Enumeration of Privileged Local Groups Membership" note = """## Config -This will require Windows security event 4799 by enabling audit success for the windows Account Management category and +This will require Windows security event 4799 by enabling audit success for the Windows Account Management category and the Security Group Management subcategory. """ risk_score = 43 diff --git a/rules/windows/execution_posh_portable_executable.toml b/rules/windows/execution_posh_portable_executable.toml index 616118ecf..7f35483c8 100644 --- a/rules/windows/execution_posh_portable_executable.toml +++ b/rules/windows/execution_posh_portable_executable.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/15" maturity = "production" -updated_date = "2021/11/30" +updated_date = "2022/02/16" [rule] author = ["Elastic"] @@ -21,14 +21,14 @@ note = """## Triage and analysis. PowerShell is one of the main tools used by system administrators for automation, report routines, and other tasks. -Attackers can abuse PowerShell In-Memory capabilities to inject executables into memory without touching the disk, bypassing -AntiVirus software. These executables are generally base64 encoded. +Attackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk, +bypassing antivirus software. These executables are generally base64 encoded. #### Possible investigation steps: - Examine script content that triggered the detection. - Investigate script execution chain (parent process tree). -- Inspect any file or network events from the suspicious powershell host process instance. +- Inspect any file or network events from the suspicious PowerShell host process instance. - If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours. ### False Positive Analysis diff --git a/rules/windows/execution_posh_psreflect.toml b/rules/windows/execution_posh_psreflect.toml index d5bc89f07..eb43b5e6d 100644 --- a/rules/windows/execution_posh_psreflect.toml +++ b/rules/windows/execution_posh_psreflect.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/10/15" maturity = "production" -updated_date = "2021/10/15" +updated_date = "2022/02/16" [rule] author = ["Elastic"] @@ -9,7 +9,7 @@ description = """ Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables PowerShell to access win32 API functions. """ -false_positives = ["Legitimate Powershell Scripts that make use of PSReflect to access the win32 API"] +false_positives = ["Legitimate PowerShell scripts that make use of PSReflect to access the win32 API"] from = "now-9m" index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" @@ -26,7 +26,7 @@ create enums and structs easily—all without touching the disk. Although this is an interesting project for every developer and admin out there, it is mainly used in the red team and malware tooling for its capabilities. -Detecting the core implementation of PSReflect means detecting most of the tooling that uses windows API through +Detecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through PowerShell, enabling the defender to discover tools being dropped in the environment. #### Possible investigation steps: @@ -48,7 +48,7 @@ PowerShell, enabling the defender to discover tools being dropped in the environ - PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70 ### Response and Remediation -- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further +- Immediate response should be taken to validate activity, investigate, and potentially isolate activity to prevent further post-compromise behavior. ## Config diff --git a/rules/windows/privilege_escalation_group_policy_iniscript.toml b/rules/windows/privilege_escalation_group_policy_iniscript.toml index 5bc65aa47..e6f6346c3 100644 --- a/rules/windows/privilege_escalation_group_policy_iniscript.toml +++ b/rules/windows/privilege_escalation_group_policy_iniscript.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/11/08" maturity = "production" -updated_date = "2021/11/08" +updated_date = "2022/02/16" [rule] author = ["Elastic"] @@ -18,13 +18,13 @@ note = """## Triage and analysis ### Investigating Scheduled Task Execution at Scale via GPO Group Policy Objects can be used by attackers as a mechanism for an attacker to instruct an arbitrarily large group of clients to -execute specified commands at Startup, Logon, Shutdown, and Logoff. This is done by creating/modifying the `scripts.ini` or +execute specified commands at startup, logon, shutdown, and logoff. This is done by creating/modifying the `scripts.ini` or `psscripts.ini` files. The scripts are stored in the following path: `\\Machine\\Scripts\\`, `\\User\\Scripts\\` #### Possible investigation steps: - This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation. -- Retrieve the contents of the script file, check for any potentially malicious commands and binaries. +- Retrieve the contents of the script file, and check for any potentially malicious commands and binaries. - If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours. ### False Positive Analysis @@ -35,7 +35,7 @@ and the administrator is authorized to perform this operation. - Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e ### Response and Remediation -- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further +- Immediate response should be taken to validate activity, investigate, and potentially isolate activity to prevent further post-compromise behavior. ## Config diff --git a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml index e89d533b3..43387db0e 100644 --- a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml +++ b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2021/11/08" maturity = "production" -updated_date = "2021/11/08" +updated_date = "2022/02/16" [rule] author = ["Elastic"] description = """ -This rule detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to -add users as local admins. +Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or +use them to add users as local admins. """ index = ["winlogbeat-*", "logs-system.*"] language = "kuery" @@ -17,29 +17,29 @@ note = """## Triage and analysis ### Investigating Group Policy Abuse for Privilege Addition -Group Policy Objects can be used to add rights and/or modify Group Membership on GPOs by changing the contents of an INF file named -GptTmpl.inf, which is responsible for storing every setting under the Security Settings container in the GPO, this file is unique -for each GPO, and only exists if the GPO contains security settings. +Group Policy Objects can be used to add rights and/or modify Group Membership on GPOs by changing the contents of an INF +file named GptTmpl.inf, which is responsible for storing every setting under the Security Settings container in the GPO. +This file is unique for each GPO, and only exists if the GPO contains security settings. Example Path: "\\\\DC.com\\SysVol\\DC.com\\Policies\\{21B9B880-B2FB-4836-9C2D-2013E0D832E9}\\Machine\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf" #### Possible investigation steps: -- This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity is legitimate -and the administrator is authorized to perform this operation. -- Retrieve the contents of the `GptTmpl.inf` file, under the `Privilege Rights` section, look for potentially dangerous high privileges, -for example: SeTakeOwnershipPrivilege, SeEnableDelegationPrivilege, etc. +- This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity +is legitimate and the administrator is authorized to perform this operation. +- Retrieve the contents of the `GptTmpl.inf` file, and under the `Privilege Rights` section, look for potentially +dangerous high privileges, for example: SeTakeOwnershipPrivilege, SeEnableDelegationPrivilege, etc. - Inspect the user SIDs associated with these privileges ### False Positive Analysis - Verify if these User SIDs should have these privileges enabled. - Inspect whether the user that has done these modifications should be allowed to do it. The user name can be found in the -`winlog.event_data.SubjectUserName` field +`winlog.event_data.SubjectUserName` field. ### Related Rules - Scheduled Task Execution at Scale via GPO - Startup/Logon Script added to Group Policy Object ### Response and Remediation -- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further +- Immediate response should be taken to validate activity, investigate, and potentially isolate activity to prevent further post-compromise behavior. ## Config diff --git a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml index db7ba63bb..3ba801ada 100644 --- a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml +++ b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/11/08" maturity = "production" -updated_date = "2021/11/08" +updated_date = "2022/02/16" [rule] author = ["Elastic"] @@ -16,14 +16,15 @@ note = """## Triage and analysis ### Investigating Scheduled Task Execution at Scale via GPO -Group Policy Objects can be used by attackers to execute Scheduled Tasks at scale to compromise Objects controlled by a given GPO, -this is done by changing the contents of the `\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file. +Group Policy Objects can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a +given GPO. This is done by changing the contents of the `\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` +file. #### Possible investigation steps: -- This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity is legitimate -and the administrator is authorized to perform this operation. -- Retrieve the contents of the `ScheduledTasks.xml` file, check the `` and `` XML tags for any potentially malicious -commands and binaries. +- This attack abuses a legitimate mechanism of the Active Directory, so it is important to determine whether the activity +is legitimate and the administrator is authorized to perform this operation. +- Retrieve the contents of the `ScheduledTasks.xml` file, ánd check the `` and `` XML tags for any +potentially malicious commands and binaries. - If the action is suspicious for the user, check for any other activities done by the user in the last 48 hours. ### False Positive Analysis @@ -34,7 +35,7 @@ commands and binaries. - Startup/Logon Script added to Group Policy Object ### Response and Remediation -- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further +- Immediate response should be taken to validate activity, investigate, and potentially isolate activity to prevent further post-compromise behavior. ## Config diff --git a/rules/windows/privilege_escalation_installertakeover.toml b/rules/windows/privilege_escalation_installertakeover.toml index 4c00ac68a..bb6cfd6b8 100644 --- a/rules/windows/privilege_escalation_installertakeover.toml +++ b/rules/windows/privilege_escalation_installertakeover.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/11/25" maturity = "production" -updated_date = "2022/02/14" +updated_date = "2022/02/16" [rule] author = ["Elastic"] @@ -21,13 +21,13 @@ note = """## Triage and analysis. InstallerFileTakeOver is a weaponized EoP PoC to the CVE-2021-41379 vulnerability. Upon successful exploitation, an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY. -This rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copy itself +This rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule. #### Possible investigation steps: -- Check for the digital signature of the executable -- Look for additional processes spawned by the process, command lines and network communications. +- Check for the digital signature of the executable. +- Look for additional processes spawned by the process, command lines, and network communications. - Look for additional alerts involving the host and the user. ### False Positive Analysis @@ -40,7 +40,7 @@ to the location to escalate privileges. An attacker is able to still take over a ### Response and Remediation -- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further +- Immediate response should be taken to validate activity, investigate, and potentially isolate activity to prevent further post-compromise behavior. """ references = [