diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index 5befdbbdf..3ddb55773 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/20" +updated_date = "2022/11/01" [rule] author = ["Elastic"] @@ -107,7 +107,9 @@ network where network.protocol == "dns" and "requestbin.net", "cdn.discordapp.com", "discordapp.com", - "discord.com" + "discord.com", + "script.google.com", + "script.googleusercontent.com" ) and /* Insert noisy false positives here */ not process.executable : @@ -164,4 +166,4 @@ reference = "https://attack.mitre.org/techniques/T1567/" [rule.threat.tactic] id = "TA0010" name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0010/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0010/" diff --git a/rules/windows/credential_access_wireless_creds_dumping.toml b/rules/windows/credential_access_wireless_creds_dumping.toml new file mode 100644 index 000000000..ec6abb515 --- /dev/null +++ b/rules/windows/credential_access_wireless_creds_dumping.toml @@ -0,0 +1,70 @@ +[metadata] +creation_date = "2022/11/01" +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/11/01" + +[rule] +author = ["Elastic"] +description = """ +Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +language = "eql" +license = "Elastic License v2" +name = "Wireless Credential Dumping using Netsh Command" +note = """## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. +""" +references = [ + "https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts", + "https://www.geeksforgeeks.org/how-to-find-the-wi-fi-password-using-cmd-in-windows/", +] +risk_score = 73 +rule_id = "2de87d72-ee0c-43e2-b975-5f0b029ac600" +severity = "high" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Discovery", "Elastic Endgame"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where event.type == "start" and + (process.name : "netsh.exe" or process.pe.original_file_name == "netsh.exe") and + process.args : "wlan" and process.args : "key*clear" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" +[[rule.threat.technique]] +id = "T1555" +name = "Credentials from Password Stores" +reference = "https://attack.mitre.org/techniques/T1555/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml new file mode 100644 index 000000000..d7a137c6b --- /dev/null +++ b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml @@ -0,0 +1,77 @@ +[metadata] +creation_date = "2022/11/01" +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/11/01" + +[rule] +author = ["Elastic"] +description = """ +Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by +default) and is set to 1, then remote connections from all local members of Administrators are granted full +high-integrity tokens during negotiation. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"] +language = "eql" +license = "Elastic License v2" +name = "Local Account TokenFilter Policy Disabled" +references = [ + "https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2014-04-02/finding/V-36439", + "https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167", + "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf", +] +risk_score = 47 +rule_id = "07b1ef73-1fde-4a49-a34a-5dd40011b076" +severity = "medium" +tags = [ + "Elastic", + "Host", + "Windows", + "Threat Detection", + "Defense Evasion", + "Privilege Escalation", + "Elastic Endgame", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where registry.path : ( + "HKLM\\*\\LocalAccountTokenFilterPolicy", + "\\REGISTRY\\MACHINE\\*\\LocalAccountTokenFilterPolicy") and + registry.data.strings : ("1", "0x00000001") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1112" +name = "Modify Registry" +reference = "https://attack.mitre.org/techniques/T1112/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.003" +name = "Local Accounts" +reference = "https://attack.mitre.org/techniques/T1078/003/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml b/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml new file mode 100644 index 000000000..9d4b61dc8 --- /dev/null +++ b/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml @@ -0,0 +1,71 @@ +[metadata] +creation_date = "2022/11/01" +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/11/01" + +[rule] +author = ["Elastic"] +description = """ +Identifies the execution of discovery commands to enumerate system info or files and folders using the Windows Command Shell. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-windows.*", "logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "System Information Discovery via Windows Command Shell" +note = """## Setup + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. +""" +risk_score = 21 +rule_id = "d68e95ad-1c82-4074-a12a-125fe10ac8ba" +severity = "low" +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Execution"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where event.type == "start" and + process.name : "cmd.exe" and process.args : "/c" and process.args : ("set", "dir") +''' + + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1082" +name = "System Information Discovery" +reference = "https://attack.mitre.org/techniques/T1082/" + +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + + [[rule.threat.technique.subtechnique]] + id = "T1059.003" + name = "Windows Command Shell" + reference = "https://attack.mitre.org/techniques/T1059/003/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/windows/persistence_suspicious_com_hijack_registry.toml b/rules/windows/persistence_suspicious_com_hijack_registry.toml index 7dcc4d5c0..234d72a01 100644 --- a/rules/windows/persistence_suspicious_com_hijack_registry.toml +++ b/rules/windows/persistence_suspicious_com_hijack_registry.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/20" +updated_date = "2022/11/01" [rule] author = ["Elastic"] @@ -80,25 +80,31 @@ type = "eql" query = ''' registry where - (registry.path : "HK*}\\InprocServer32\\" and registry.data.strings: ("scrobj.dll", "C:\\*\\scrobj.dll") and - not registry.path : "*\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\*") - or - /* in general COM Registry changes on Users Hive is less noisy and worth alerting */ - (registry.path : ("HKEY_USERS\\*Classes\\*\\InprocServer32\\", - "HKEY_USERS\\*Classes\\*\\LocalServer32\\", - "HKEY_USERS\\*Classes\\*\\DelegateExecute\\", - "HKEY_USERS\\*Classes\\*\\TreatAs\\", - "HKEY_USERS\\*Classes\\CLSID\\*\\ScriptletURL\\") and - not (process.executable : "?:\\Program Files*\\Veeam\\Backup and Replication\\Console\\veeam.backup.shell.exe" and - registry.path : "HKEY_USERS\\S-1-5-21-*_Classes\\CLSID\\*\\LocalServer32\\") and /* not necessary but good for filtering privileged installations */ - user.domain != "NT AUTHORITY" - ) and + user.domain != "NT AUTHORITY" and + +( + (registry.path : "HK*\\InprocServer32\\" and registry.data.strings: ("scrobj.dll", "C:\\*\\scrobj.dll") and + not registry.path : "*\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\*") or + + /* in general COM Registry changes on Users Hive is less noisy and worth alerting */ + (registry.path : ("HKEY_USERS\\*\\InprocServer32\\*", + "HKEY_USERS\\*\\LocalServer32\\*", + "HKEY_USERS\\*\\DelegateExecute\\*", + "HKEY_USERS\\*\\TreatAs\\*", + "HKEY_USERS\\*\\ScriptletURL\\*") and + not (process.executable : "?:\\Program Files*\\Veeam\\Backup and Replication\\Console\\veeam.backup.shell.exe" and + registry.path : "HKEY_USERS\\S-1-5-21-*_Classes\\CLSID\\*\\LocalServer32\\*")) or + + (registry.path : "HKLM\\*\\InProcServer32\\*" and registry.data.strings : ("*\\Users\\*", "*\\ProgramData\\*")) + +) and + /* removes false-positives generated by OneDrive and Teams */ not process.name : ("OneDrive.exe","OneDriveSetup.exe","FileSyncConfig.exe","Teams.exe") and + /* Teams DLL loaded by regsvr */ - not (process.name: "regsvr32.exe" and - registry.data.strings : "*Microsoft.Teams.*.dll") + not (process.name: "regsvr32.exe" and registry.data.strings : "*Microsoft.Teams.*.dll") ''' diff --git a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml index 6be0a3c01..dc08d5078 100644 --- a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml +++ b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/09" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/11/01" [rule] author = ["Elastic", "Skoetting"] @@ -16,7 +16,7 @@ from = "now-9m" index = ["winlogbeat-*", "logs-system.*"] language = "eql" license = "Elastic License v2" -name = "User Added to Privileged Group in Active Directory" +name = "User Added to Privileged Group" note = """## Triage and analysis ### Investigating User Added to Privileged Group in Active Directory diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index 571264dd3..13a02c023 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -40,6 +40,7 @@ investigating further, verify that this activity is not benign. ### Related rules - Creation of a Hidden Local User Account - 2edc8076-291e-41e9-81e4-e3fcbc97ae5e +- Windows User Account Creation - 38e17753-f581-4644-84da-0d60a8318694 ### Response and remediation diff --git a/rules/windows/persistence_user_account_creation_event_logs.toml b/rules/windows/persistence_user_account_creation_event_logs.toml index 6dd409978..761f0aa9f 100644 --- a/rules/windows/persistence_user_account_creation_event_logs.toml +++ b/rules/windows/persistence_user_account_creation_event_logs.toml @@ -1,13 +1,13 @@ [metadata] creation_date = "2021/01/04" maturity = "development" -updated_date = "2022/08/24" +updated_date = "2022/11/01" [rule] author = ["Skoetting"] description = """ -Identifies attempts to create new local users. This is sometimes done by attackers to increase access to a system or -domain. +Identifies attempts to create a Windows User Account. This is sometimes done by attackers to persist or increase access +to a system or domain. """ false_positives = [ """ @@ -19,7 +19,7 @@ false_positives = [ index = ["winlogbeat-*", "logs-system.*"] language = "kuery" license = "Elastic License v2" -name = "Creation of a local user account" +name = "Windows User Account Creation" risk_score = 21 rule_id = "38e17753-f581-4644-84da-0d60a8318694" severity = "low" @@ -28,7 +28,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.module:security and event.code:4720 +event.module : ("system" or "security") and (event.code : "4720" or event.action : "added-user-account") ''' @@ -44,6 +44,11 @@ reference = "https://attack.mitre.org/techniques/T1136/" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1136/001/" + [[rule.threat.technique.subtechnique]] + id = "T1136.002" + name = "Domain Account" + reference = "https://attack.mitre.org/techniques/T1136/002/" + [rule.threat.tactic] id = "TA0003"