security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Prep main for 9.1 (#4555)

Browse Source 
* Prep for Release 9.1

* Update Patch Version

* Update Patch version

* Update Patch version
This commit is contained in:
shashank-elastic
2025-03-26 20:34:14 +05:30
committed by GitHub
parent 2d2c5b4d88
commit e8c54169a4
422 changed files with 11786 additions and 12086 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml
+26 -28
View File
@@ -2,9 +2,7 @@
creation_date = "2020/11/06"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2025/01/15"
min_stack_version = "8.14.0"
min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
updated_date = "2025/03/20"
[rule]
author = ["Elastic"]
@@ -23,31 +21,6 @@ index = [
language = "eql"
license = "Elastic License v2"
name = "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows"
references = ["https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/"]
risk_score = 47
rule_id = "8f919d4b-a5af-47ca-a594-6be59cd924a4"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Lateral Movement",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Resources: Investigation Guide",
]
type = "eql"
query = '''
sequence by host.id with maxspan=5s
[network where host.os.type == "windows" and event.type == "start" and process.name : "explorer.exe" and
network.direction : ("incoming", "ingress") and network.transport == "tcp" and
source.port > 49151 and destination.port > 49151 and source.ip != "127.0.0.1" and source.ip != "::1"
] by process.entity_id
[process where host.os.type == "windows" and event.type == "start" and
process.parent.name : "explorer.exe"
] by process.parent.entity_id
'''
note = """## Triage and analysis
> **Disclaimer**:
@@ -83,6 +56,31 @@ DCOM enables software components to communicate over a network, often used in Wi
- Apply patches and updates to the affected systems to address any vulnerabilities that may have been exploited during the attack.
- Enhance monitoring and logging on the network to detect similar DCOM abuse attempts, ensuring that alerts are configured for high TCP port activity and unusual process spawning by explorer.exe.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional containment or remediation actions are necessary."""
references = ["https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/"]
risk_score = 47
rule_id = "8f919d4b-a5af-47ca-a594-6be59cd924a4"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Lateral Movement",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Resources: Investigation Guide",
]
type = "eql"
query = '''
sequence by host.id with maxspan=5s
[network where host.os.type == "windows" and event.type == "start" and process.name : "explorer.exe" and
network.direction : ("incoming", "ingress") and network.transport == "tcp" and
source.port > 49151 and destination.port > 49151 and source.ip != "127.0.0.1" and source.ip != "::1"
] by process.entity_id
[process where host.os.type == "windows" and event.type == "start" and
process.parent.name : "explorer.exe"
] by process.parent.entity_id
'''
[[rule.threat]]