security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Update Rule Content Changes from Security Docs Team (#1945)

Browse Source 
* updated content to reflect changes from Security Docs team

* Update rules/linux/execution_flock_binary.toml

* Update rules/linux/execution_expect_binary.toml

* TOML linting

* added escape for crdential_access_spn_attribute_modified.toml
This commit is contained in:
Terrance DeJesus
2022-05-06 13:21:12 -04:00
committed by GitHub
parent 8168551c59
commit e9f5585a9f
14 changed files with 88 additions and 85 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/execution_crash_binary.toml
+5 -5
View File
@@ -1,15 +1,15 @@
[metadata]
creation_date = "2022/03/21"
maturity = "production"
updated_date = "2022/03/31"
updated_date = "2022/04/29"
[rule]
author = ["Elastic"]
description = """
Identifies Linux binary crash abuse to break out from restricted environments by spawning an interactive system
shell.The crash utility helps to analyze Linux crash dump data or a live system and the activity of spawing a shell is
not a standard use of this binary by a user or system administrator. It indicates a potentially malicious actor
attempting to improve the capabilities or stability of their access.
Identifies Linux binary crash abuse to break out from restricted environments by spawning an interactive system shell.
The crash utility helps analyze Linux crash dump data or a live system and the activity of spawning a shell is not a
standard use of this binary by a user or system administrator. It indicates a potentially malicious actor attempting to
improve the capabilities or stability of their access.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
rules/linux/execution_env_binary.toml
+5 -5
View File
@@ -1,15 +1,15 @@
[metadata]
creation_date = "2022/02/24"
maturity = "production"
updated_date = "2022/03/28"
updated_date = "2022/04/29"
[rule]
author = ["Elastic"]
description = """
Identifies Linux binary env abuse to break out from restricted environments by spawning an interactive system shell.The
env utility is a shell command for Unix like OS which is used to print a list of environment variables and the activity
of spawning shell is not a standard use of this binary for a user or system administrator. It indicates a potentially
malicious actor attempting to improve the capabilities or stability of their access
Identifies Linux binary env abuse to break out from restricted environments by spawning an interactive system shell. The
env utility is a shell command for Unix-like operating systems and is used to print a list of environment variables. The
activity of spawning a shell is not a standard use of this binary for a user or system administrator. It indicates a
potentially malicious actor attempting to improve the capabilities or stability of their access.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
rules/linux/execution_expect_binary.toml
+5 -5
View File
@@ -1,15 +1,15 @@
[metadata]
creation_date = "2022/03/07"
maturity = "production"
updated_date = "2022/03/31"
updated_date = "2022/04/29"
[rule]
author = ["Elastic"]
description = """
Identifies Linux binary expect abuse to break out from restricted environments by spawning an interactive system shell.
The expect utility allows us to automate control of interactive applications such as telnet,ftp,ssh and others and the
activity of spawning shell is not a standard use of this binary for a user or system administrator and could potentially
indicate malicious actor attempting to improve the capabilities or stability of their access.
Identifies Linux binary expect command abuse to break out from restricted environments by spawning an interactive system
shell. The expect utility allows us to automate control of interactive applications such as Telnet, FTP, SSH and others.
The activity of spawning shell is not a standard use of this binary for a user or system administrator and could
potentially indicate malicious actor attempting to improve the capabilities or stability of their access.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
rules/linux/execution_find_binary.toml
+4 -4
View File
@@ -1,15 +1,15 @@
[metadata]
creation_date = "2022/02/28"
maturity = "production"
updated_date = "2022/03/31"
updated_date = "2022/04/29"
[rule]
author = ["Elastic"]
description = """
Identifies Linux binary find abuse to break out from restricted environments by spawning an interactive system shell.
The find command in Unix is a command line utility for walking a file hirerarchy and the activity of spawning shell is
not a standard use of this binary for a user or system administrator.It indicates a potentially malicious actor
attempting to improve the capabilities or stability of their access.
The find command in Unix is a command line utility for walking a file hierarchy. The activity of spawning shell is not a
standard use of this binary for a user or system administrator. It indicates a potentially malicious actor attempting to
improve the capabilities or stability of their access.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
rules/linux/execution_flock_binary.toml
+4 -4
View File
@@ -1,14 +1,14 @@
[metadata]
creation_date = "2022/03/22"
maturity = "production"
updated_date = "2022/03/22"
updated_date = "2022/04/29"
[rule]
author = ["Elastic"]
description = """
Identifies Linux binary flock abuse to break out from restricted environments by spawning an interactive system
shell.The flock utility allows us to manage advisory file locks in shell scripts or on the command line and the activity
of spawing a shell is not a standard use of this binary by a user or system administrator. It indicates a potentially
Identifies Linux binary flock abuse to break out from restricted environments by spawning an interactive system shell.
The flock utility allows users to manage advisory file locks in shell scripts or on the command line. The activity of
spawning a shell is not a standard use of this binary by a user or system administrator. It indicates a potentially
malicious actor attempting to improve the capabilities or stability of their access.
"""
from = "now-9m"
rules/linux/execution_gcc_binary.toml
+4 -4
View File
@@ -1,14 +1,14 @@
[metadata]
creation_date = "2022/03/09"
maturity = "production"
updated_date = "2022/03/31"
updated_date = "2022/04/29"
[rule]
author = ["Elastic"]
description = """
Identifies Linux binary gcc abuse to break out from restricted environments by spawning an interactive system shell.The
gcc utility is a complier system for various languages and mainly used to complie C and C++ programs and the activity of
spawning shell is not a standard use of this binary for a user or system administrator.It indicates a potentially
Identifies Linux binary gcc abuse to break out from restricted environments by spawning an interactive system shell. The
gcc utility is a complier system for various languages and mainly used to compile C and C++ programs. The activity of
spawning shell is not a standard use of this binary for a user or system administrator. It indicates a potentially
malicious actor attempting to improve the capabilities or stability of their access.
"""
from = "now-9m"
rules/linux/execution_mysql_binary.toml
+5 -5
View File
@@ -1,15 +1,15 @@
[metadata]
creation_date = "2022/03/09"
maturity = "production"
updated_date = "2022/03/31"
updated_date = "2022/04/29"
[rule]
author = ["Elastic"]
description = """
Identifies MySQL server abuse to break out from restricted environments by spawning an interactive system shell.The
MySQL is an open source relational database management system and the activity of spawning shell is not a standard use
of this binary for a user or system administrator.It indicates a potentially malicious actor attempting to improve the
capabilities or stability of their access.
Identifies MySQL server abuse to break out from restricted environments by spawning an interactive system shell. The
MySQL server is an open source relational database management system. The activity of spawning shell is not a standard
use of this binary for a user or system administrator. It indicates a potentially malicious actor attempting to improve
the capabilities or stability of their access.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
rules/linux/execution_ssh_binary.toml
+7 -6
View File
@@ -1,21 +1,22 @@
[metadata]
creation_date = "2022/03/10"
maturity = "production"
updated_date = "2022/03/31"
updated_date = "2022/04/29"
[rule]
author = ["Elastic"]
description = """
Identifies Linux binary ssh abuse to break out from restricted environments by spawning an interactive system shell.The
ssh is a network protocol that gives users,particularly system administrators a secure way to access a computer over a
network and the activity of spawning shell is not a standard use of this binary for a user or system administrator.It
indicates a potentially malicious actor attempting to improve the capabilities or stability of their access.
Identifies Linux binary SSH abuse to break out from restricted environments by spawning an interactive system shell. The
SSH protocol is a network protocol that gives users, particularly system administrators, a secure way to access a
computer over a network. The activity of spawning shell is not a standard use of this binary for a user or system
administrator. It indicates a potentially malicious actor attempting to improve the capabilities or stability of their
access.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Linux Restricted Shell Breakout via the ssh command"
name = "Linux Restricted Shell Breakout via the SSH command"
references = ["https://gtfobins.github.io/gtfobins/ssh/"]
risk_score = 47
rule_id = "97da359b-2b61-4a40-b2e4-8fc48cf7a294"
rules/linux/execution_vi_binary.toml
+4 -4
View File
@@ -1,15 +1,15 @@
[metadata]
creation_date = "2022/03/03"
maturity = "production"
updated_date = "2022/03/24"
updated_date = "2022/04/29"
[rule]
author = ["Elastic"]
description = """
Identifies Linux binary find abuse to break out from restricted environments by spawning an interactive system shell.
The vi/vim is the standard text editor in Linux distribution and the activity of spawning a shell is not a standard use
of this binary by a user or system administrator and could potentially indicate malicious actor attempting to improve
the capabilities or stability of their access."
The vi/vim editor is the standard text editor in Linux distributions, and the activity of spawning a shell is not a
standard use of this binary by a user or system administrator. This could potentially indicate a malicious actor
attempting to improve the capabilities or stability of their access.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
rules/windows/credential_access_moving_registry_hive_via_smb.toml
+6 -5
View File
@@ -3,13 +3,14 @@ creation_date = "2022/02/16"
maturity = "production"
min_stack_comments = "File header bytes field populated until 7.15."
min_stack_version = "7.15.0"
updated_date = "2022/03/10"
updated_date = "2022/04/29"
[rule]
author = ["Elastic"]
description = """
Identifies the creation or modification of a medium-size registry hive file on an SMB share, which may indicate an
exfiltration attempt of a previously dumped SAM registry hive for credential extraction on an attacker-controlled system.
Identifies the creation or modification of a medium-size registry hive file on a Server Message Block (SMB) share, which
may indicate an exfiltration attempt of a previously dumped Security Account Manager (SAM) registry hive for credential
extraction on an attacker-controlled system.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
@@ -21,7 +22,7 @@ note = """## Triage and analysis
### Investigating Windows Registry File Creation in SMB Share
Dumping registry hives is a common way to access credential information. Some hives store credential material, as is the
case for the SAM hive, which stores locally cached credentials (SAM Secrets), and the SECURITY hive, which stores domain
case for the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain
cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to
decrypt these secrets.
@@ -34,7 +35,7 @@ file on an SMB share, which may indicate this kind of exfiltration attempt.
- Investigate other alerts related to the user/host in the last 48 hours.
- Confirm whether the account owner is aware of the operation.
- Examine command line logs for the period when the alert was triggered.
- Capture the registry file(s) to scope the compromised credentials in an eventual Incident Response.
- Capture the registry file(s) to scope the compromised credentials in an eventual incident response.
### False positive analysis
rules/windows/credential_access_remote_sam_secretsdump.toml
+12 -11
View File
@@ -3,13 +3,13 @@ creation_date = "2022/03/01"
maturity = "production"
min_stack_comments = "The field `file.Ext.header_bytes` was not introduced until 7.15"
min_stack_version = "7.15.0"
updated_date = "2022/03/31"
updated_date = "2022/04/29"
[rule]
author = ["Elastic"]
description = """
Identifies remote access to the registry to potentially dump credential data from the SAM registry hive in preparation
for credential access and privileges elevation.
Identifies remote access to the registry to potentially dump credential data from the Security Account Manager (SAM)
registry hive in preparation for credential access and privileges elevation.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.*", "logs-endpoint.events.*"]
@@ -21,7 +21,7 @@ note = """## Triage and analysis
### Investigating Potential Remote Credential Access via Registry
Dumping registry hives is a common way to access credential information. Some hives store credential material,
such as the SAM hive, which stores locally cached credentials (SAM Secrets), and the SECURITY hive, which stores domain
such as the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain
cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to
decrypt these secrets.
@@ -33,7 +33,7 @@ credentials to access other systems in the domain.
- Identify the target host role, involved account, and source host.
- Determine the privileges assigned to any compromised accounts.
- Investigate other alerts related to the involved user and source host in the last 48 hours.
- Scope potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target
- Scope potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target
host.
### False positive analysis
@@ -55,7 +55,7 @@ be monitored by the security team.
## Config
This rule uses Elastic Endpoint file creation and System Integration events for correlation. Both data should be
This rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be
collected from the host for this detection to work.
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
@@ -81,29 +81,30 @@ sequence by host.id, user.id with maxspan=1m
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
name = "OS Credential Dumping"
id = "T1003"
name = "OS Credential Dumping"
reference = "https://attack.mitre.org/techniques/T1003/"
[[rule.threat.technique.subtechnique]]
name = "Security Account Manager"
id = "T1003.002"
name = "Security Account Manager"
reference = "https://attack.mitre.org/techniques/T1003/002/"
[rule.threat.tactic]
name = "Credential Access"
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
name = "Remote Services"
id = "T1021"
name = "Remote Services"
reference = "https://attack.mitre.org/techniques/T1021/"
[rule.threat.tactic]
name = "Lateral Movement"
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
rules/windows/credential_access_spn_attribute_modified.toml
+10 -10
View File
@@ -1,14 +1,14 @@
[metadata]
creation_date = "2022/02/22"
maturity = "production"
updated_date = "2022/03/28"
updated_date = "2022/04/29"
[rule]
author = ["Elastic"]
description = """
Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a
user to configure SPNs so that they can perform Kerberoasting. Administrators can also configure this for legitimate
purposes, exposing the account to Kerberoasting.
user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also
configure this for legitimate purposes, exposing the account to Kerberoasting.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.*"]
@@ -26,7 +26,7 @@ By default, only computer accounts have SPNs, which creates no significant risk,
domain policy that rotates their passwords every 30 days, and the password is composed of 120 random characters, making
them invulnerable to Kerberoasting.
A user account with an SPN assigned is considered a Service Account, and is accessible to the entire domain. If any
A user account with an SPN assigned is considered a service account, and is accessible to the entire domain. If any
user in the directory requests a ticket-granting service (TGS), the domain controller will encrypt it with the secret
key of the account executing the service. An attacker can potentially perform a Kerberoasting attack with this
information, as the human-defined password is likely to be less complex.
@@ -77,7 +77,7 @@ DS Access >
Audit Directory Service Changes (Success,Failure)
```
The above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.
The above policy does not cover User objects, so set up an AuditRule using https://github.com/OTRF/Set-AuditRule.
As this specifies the servicePrincipalName Attribute GUID, it is expected to be low noise.
```
@@ -107,16 +107,16 @@ and winlog.event_data.AttributeLDAPDisplayName:"servicePrincipalName"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1558"
name = "Steal or Forge Kerberos Tickets"
reference = "https://attack.mitre.org/techniques/T1558/"
[[rule.threat.technique.subtechnique]]
id = "T1558.003"
name = "Kerberoasting"
reference = "https://attack.mitre.org/techniques/T1558/003/"
[[rule.threat.technique.subtechnique]]
name = "Kerberoasting"
id = "T1558.003"
reference = "https://attack.mitre.org/techniques/T1558/003/"
[rule.threat.tactic]
id = "TA0006"
rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
+9 -9
View File
@@ -1,14 +1,14 @@
[metadata]
creation_date = "2022/02/16"
maturity = "production"
updated_date = "2022/03/31"
updated_date = "2022/04/29"
[rule]
author = ["Elastic"]
description = """
Identifies remote access to the registry via an account with Backup Operators group membership. This may indicate an
attempt to exfiltrate credentials via dumping the SAM registry hive in preparation for credential access and privileges
elevation.
Identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an
attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for
credential access and privileges elevation.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.*"]
@@ -64,30 +64,30 @@ sequence by host.id, winlog.event_data.SubjectLogonId with maxspan=1m
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
name = "OS Credential Dumping"
id = "T1003"
name = "OS Credential Dumping"
reference = "https://attack.mitre.org/techniques/T1003/"
[[rule.threat.technique.subtechnique]]
name = "Security Account Manager"
id = "T1003.002"
name = "Security Account Manager"
reference = "https://attack.mitre.org/techniques/T1003/002/"
[rule.threat.tactic]
name = "Credential Access"
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
name = "Remote Services"
id = "T1021"
name = "Remote Services"
reference = "https://attack.mitre.org/techniques/T1021/"
[rule.threat.tactic]
name = "Lateral Movement"
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
rules/windows/defense_evasion_workfolders_control_execution.toml
+8 -8
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2022/03/02"
maturity = "production"
updated_date = "2022/04/06"
updated_date = "2022/04/29"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -13,14 +13,14 @@ from = "now-9m"
index = ["winlogbeat-*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Signed Proxy Execution via MS WorkFolders"
name = "Signed Proxy Execution via MS Work Folders"
note = """## Triage and analysis
### Investigating Signed Proxy Execution via MS WorkFolders
### Investigating Signed Proxy Execution via MS Work Folders
Work Folders is a role service for file servers running Windows Server that provides a consistent way for users to access
their work files from their PCs and devices. This allows users to store work files and access them from anywhere. When
called, Work Folders will automatically execute any Portable Executable (PE) named `control.exe` as an argument before
called, Work Folders will automatically execute any Portable Executable (PE) named control.exe as an argument before
accessing the synced share.
Using Work Folders to execute a masqueraded control.exe could allow an adversary to bypass application controls and
@@ -30,7 +30,7 @@ increase privileges.
- Investigate the process tree starting with parent process WorkFolders.exe and child process control.exe to determine
if other child processes spawned during execution.
- Trace the activity related to the `control.exe` binary to identify any continuing intrusion activity on the host.
- Trace the activity related to the control.exe binary to identify any continuing intrusion activity on the host.
- Examine the location of the WorkFolders.exe binary to determine if it was copied to the location of the control.exe
binary. It resides in the System32 directory by default.
- Review the control.exe binary executed with Work Folders to determine maliciousness such as additional host activity
@@ -42,14 +42,14 @@ disk from a separate binary.
### False positive analysis
- Windows Work Folders are used legitimately by end users and administrators for file sharing and syncing but not in the
instance where a suspicious `control.exe` is passed as an argument.
instance where a suspicious control.exe is passed as an argument.
### Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved host to prevent further post-compromise behavior.
- Review the Work Folders synced share to determine if the 'control.exe' was shared and if so remove it.
- If no lateral movement was identified during investigation, take the effected host offline if possible and remove the
- Review the Work Folders synced share to determine if the control.exe was shared and if so remove it.
- If no lateral movement was identified during investigation, take the affected host offline if possible and remove the
control.exe binary as well as any additional artifacts identified during investigation.
- Review integrating Windows Information Protection (WIP) to enforce data protection by encrypting the data on PCs using
Work Folders.