[Security Content] Add Investigation Guides - 8.5 (#2305)
* [Security Content] Add Investigation Guides - 8.5 * Update persistence_run_key_and_startup_broad.toml * Apply suggestions from security-docs review review * Update execution_suspicious_jar_child_process.toml * Apply suggestions from review
This commit is contained in:
Jonhnathan
@@ -3,7 +3,7 @@ creation_date = "2021/01/19"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/08/24"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -16,7 +16,45 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Suspicious JAVA Child Process"
|
||||
note = """## Setup
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating Suspicious Java Child Process
|
||||
|
||||
This rule identifies a suspicious child process of the Java interpreter process. It may indicate an attempt to execute
|
||||
a malicious JAR file or an exploitation attempt via a Java specific vulnerability.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
for prevalence and whether they are located in expected locations.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network
|
||||
connections.
|
||||
- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any
|
||||
spawned child processes.
|
||||
- Examine the command line to determine if the command executed is potentially harmful or malicious.
|
||||
- Inspect the host for suspicious or abnormal behavior in the alert timeframe.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination
|
||||
of process and command line conditions.
|
||||
|
||||
### Response and remediation
|
||||
|
||||
- Initiate the incident response process based on the outcome of the triage.
|
||||
- Isolate the involved hosts to prevent further post-compromise behavior.
|
||||
- Remove and block malicious artifacts identified during triage.
|
||||
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
|
||||
identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
|
||||
systems, and web services.
|
||||
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
|
||||
malware components.
|
||||
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
|
||||
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
|
||||
mean time to respond (MTTR).
|
||||
|
||||
## Setup
|
||||
|
||||
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
|
||||
"""
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/03/19"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/13"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -39,7 +39,7 @@ prevalence, whether they are located in expected locations, and if they are sign
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/11/04"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/13"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -42,7 +42,7 @@ prevalence, whether they are located in expected locations, and if they are sign
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/09/03"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/15"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -43,7 +43,7 @@ from an internal system.
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/09/03"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/13"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -38,7 +38,7 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/11/30"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/13"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -39,7 +39,7 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/11/29"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/13"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -38,7 +38,7 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Manually analyze the script to determine if malicious capabilities are present.
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/12/14"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/13"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -44,7 +44,7 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Investigate whether the potential malware ran successfully, is active on the host, or was stopped by defenses.
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/09/02"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/13"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -38,7 +38,7 @@ access.
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
Executable → Regular
+2
-2
@@ -3,7 +3,7 @@ creation_date = "2020/03/25"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/13"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -46,7 +46,7 @@ modifications, and any spawned child processes.
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/11/02"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/13"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -45,7 +45,7 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2022/02/16"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/13"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -44,7 +44,7 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2021/01/19"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/13"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -44,7 +44,7 @@ prevalence, whether they are located in expected locations, and if they are sign
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Use process name, command line, and file hash to search for occurrences on other hosts.
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2021/06/01"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/13"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -42,7 +42,7 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Use process name, command line, and file hash to search for occurrences on other hosts.
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2021/02/01"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/13"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -45,7 +45,7 @@ modifications, and any spawned child processes.
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2021/07/20"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/13"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -40,7 +40,7 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2021/07/07"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/13"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -35,7 +35,7 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Identify the user account that performed the action and whether it should perform this kind of action.
|
||||
- Contact the account owner and confirm whether they are aware of this activity.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.
|
||||
- Inspect the host for suspicious or abnormal behavior in the alert timeframe.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/03/25"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/15"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -53,7 +53,7 @@ but are not limited to, the Downloads and Document folders and the folder config
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2022/01/12"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/13"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -55,7 +55,7 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2021/10/15"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/13"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -41,7 +41,7 @@ prevalence, whether they are located in expected locations, and if they are sign
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2021/10/19"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/13"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -42,7 +42,7 @@ prevalence, whether they are located in expected locations, and if they are sign
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2021/10/15"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/13"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Austin Songer"]
|
||||
@@ -42,7 +42,7 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Identify the user account that performed the action and whether it should perform this kind of action.
|
||||
- Contact the account owner and confirm whether they are aware of this activity.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.
|
||||
- Inspect the host for suspicious or abnormal behavior in the alert timeframe.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2021/10/11"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/13"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -34,15 +34,15 @@ calls to bypass security solutions that rely on hooks.
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file
|
||||
modifications, and any spawned child processes.
|
||||
- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,
|
||||
and any spawned child processes.
|
||||
- Retrieve the process executable and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/08/19"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/13"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -31,15 +31,15 @@ of a vulnerability or a malicious process masquerading as a system-critical proc
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file
|
||||
modifications, and any spawned child processes.
|
||||
- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,
|
||||
and any spawned child processes.
|
||||
- Retrieve the process executable and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2021/01/21"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/08/24"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -16,7 +16,66 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Unusual File Creation - Alternate Data Stream"
|
||||
note = """## Setup
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating Unusual File Creation - Alternate Data Stream
|
||||
|
||||
Alternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are
|
||||
built up from a couple of attributes; one of them is $Data, also known as the data attribute.
|
||||
|
||||
The regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty,
|
||||
contains the data inside the file. So any data stream that has a name is considered an alternate data stream.
|
||||
|
||||
Attackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the
|
||||
creation of alternate data streams on highly targeted file types.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the
|
||||
following PowerShell cmdlet to accomplish this:
|
||||
- `Get-Content -file C:\\Path\\To\\file.exe -stream ADSname`
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
|
||||
- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,
|
||||
and any spawned child processes.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
|
||||
- Retrieve the process executable and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination
|
||||
of process executable and file conditions.
|
||||
|
||||
### Response and remediation
|
||||
|
||||
- Initiate the incident response process based on the outcome of the triage.
|
||||
- Isolate the involved host to prevent further post-compromise behavior.
|
||||
- If the triage identified malware, search the environment for additional compromised hosts.
|
||||
- Implement temporary network rules, procedures, and segmentation to contain the malware.
|
||||
- Stop suspicious processes.
|
||||
- Immediately block the identified indicators of compromise (IoCs).
|
||||
- Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
|
||||
attackers could use to reinfect the system.
|
||||
- Remove and block malicious artifacts identified during triage.
|
||||
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
|
||||
identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
|
||||
systems, and web services.
|
||||
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
|
||||
malware components.
|
||||
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
|
||||
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
|
||||
mean time to respond (MTTR).
|
||||
|
||||
## Setup
|
||||
|
||||
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
|
||||
"""
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/12/04"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/15"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -34,8 +34,8 @@ as mapping targets for credential compromise and other post-exploitation activit
|
||||
for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
|
||||
- Identify the user account that performed the action and whether it should perform this kind of action.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and
|
||||
network connections.
|
||||
- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network
|
||||
connections.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
@@ -55,7 +55,7 @@ identified. Reset passwords for these accounts and other potentially compromised
|
||||
systems, and web services.
|
||||
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
|
||||
malware components.
|
||||
- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
|
||||
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
|
||||
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
|
||||
mean time to respond (MTTR).
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/12/04"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/15"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -31,8 +31,8 @@ valuable shared data.
|
||||
for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
|
||||
- Identify the user account that performed the action and whether it should perform this kind of action.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and
|
||||
network connections.
|
||||
- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network
|
||||
connections.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
@@ -48,7 +48,7 @@ identified. Reset passwords for these accounts and other potentially compromised
|
||||
systems, and web services.
|
||||
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
|
||||
malware components.
|
||||
- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
|
||||
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
|
||||
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
|
||||
mean time to respond (MTTR).
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/11/02"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/15"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -34,8 +34,8 @@ media. These devices can contain valuable information for attackers.
|
||||
for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
|
||||
- Identify the user account that performed the action and whether it should perform this kind of action.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and
|
||||
network connections.
|
||||
- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network
|
||||
connections.
|
||||
- Determine whether this activity was followed by suspicious file access/copy operations or uploads to file storage
|
||||
services.
|
||||
|
||||
@@ -53,7 +53,7 @@ identified. Reset passwords for these accounts and other potentially compromised
|
||||
systems, and web services.
|
||||
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
|
||||
malware components.
|
||||
- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
|
||||
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
|
||||
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
|
||||
mean time to respond (MTTR).
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/10/15"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/13"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -34,8 +34,8 @@ such as mapping targets for credential compromise and other post-exploitation ac
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and
|
||||
network connections.
|
||||
- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network
|
||||
connections.
|
||||
- Retrieve the process executable and determine if it is malicious:
|
||||
- Check if the file belongs to the operating system or has a valid digital signature.
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
@@ -43,7 +43,7 @@ network connections.
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
@@ -61,7 +61,7 @@ identified. Reset passwords for these accounts and other potentially compromised
|
||||
systems, and web services.
|
||||
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
|
||||
malware components.
|
||||
- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
|
||||
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
|
||||
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
|
||||
mean time to respond (MTTR).
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/12/04"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/15"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -30,8 +30,8 @@ which is useful for attackers to identify lateral movement targets.
|
||||
for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
|
||||
- Identify the user account that performed the action and whether it should perform this kind of action.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and
|
||||
network connections.
|
||||
- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network
|
||||
connections.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
@@ -47,7 +47,7 @@ identified. Reset passwords for these accounts and other potentially compromised
|
||||
systems, and web services.
|
||||
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
|
||||
malware components.
|
||||
- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
|
||||
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
|
||||
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
|
||||
mean time to respond (MTTR).
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/10/19"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/15"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -34,8 +34,8 @@ protections, use bypasses, etc.
|
||||
for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
|
||||
- Identify the user account that performed the action and whether it should perform this kind of action.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and
|
||||
network connections.
|
||||
- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network
|
||||
connections.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
@@ -51,7 +51,7 @@ identified. Reset passwords for these accounts and other potentially compromised
|
||||
systems, and web services.
|
||||
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
|
||||
malware components.
|
||||
- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
|
||||
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
|
||||
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
|
||||
mean time to respond (MTTR).
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/15"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -39,8 +39,8 @@ privileges, discover the current user, determine if a privilege escalation was s
|
||||
for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
|
||||
- Identify the user account that performed the action and whether it should perform this kind of action.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and
|
||||
network connections.
|
||||
- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network
|
||||
connections.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
@@ -60,7 +60,7 @@ identified. Reset passwords for these accounts and other potentially compromised
|
||||
systems, and web services.
|
||||
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
|
||||
malware components.
|
||||
- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
|
||||
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
|
||||
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
|
||||
mean time to respond (MTTR).
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
updated_date = "2022/09/13"
|
||||
updated_date = "2022/09/20"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
|
||||
@@ -30,15 +30,15 @@ escalation.
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file
|
||||
modifications, and any spawned child processes.
|
||||
- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,
|
||||
and any spawned child processes.
|
||||
- Retrieve the process executable and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/10/30"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/15"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -18,6 +18,50 @@ license = "Elastic License v2"
|
||||
name = "Execution from Unusual Directory - Command Line"
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating Execution from Unusual Directory - Command Line
|
||||
|
||||
This rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to
|
||||
hide malware and make the execution less suspicious.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Examine the command line to determine which commands or scripts were executed.
|
||||
- Retrieve the script and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination
|
||||
of parent process executable and command line conditions.
|
||||
|
||||
### Response and remediation
|
||||
|
||||
- Initiate the incident response process based on the outcome of the triage.
|
||||
- Isolate the involved host to prevent further post-compromise behavior.
|
||||
- If the triage identified malware, search the environment for additional compromised hosts.
|
||||
- Implement temporary network rules, procedures, and segmentation to contain the malware.
|
||||
- Stop suspicious processes.
|
||||
- Immediately block the identified indicators of compromise (IoCs).
|
||||
- Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
|
||||
attackers could use to reinfect the system.
|
||||
- Remove and block malicious artifacts identified during triage.
|
||||
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
|
||||
malware components.
|
||||
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
|
||||
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
|
||||
mean time to respond (MTTR).
|
||||
|
||||
|
||||
This is related to the `Process Execution from an Unusual Directory rule`.
|
||||
|
||||
## Setup
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/09/02"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/15"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -43,7 +43,7 @@ but are not limited to, the Downloads and Document folders and the folder config
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/09/02"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/15"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -42,7 +42,7 @@ but are not limited to, the Downloads and Document folders and the folder config
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2021/10/15"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/13"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -40,7 +40,7 @@ prevalence, whether they are located in expected locations, and if they are sign
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2021/10/15"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/13"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -50,7 +50,7 @@ prevalence, whether they are located in expected locations, and if they are sign
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/03/30"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/15"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -39,7 +39,7 @@ are not limited to, the Downloads and Document folders and the folder configured
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/11/17"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/13"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -34,14 +34,14 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file
|
||||
modifications, and any spawned child processes.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.
|
||||
- Inspect the host for suspicious or abnormal behavior in the alert timeframe.
|
||||
- Retrieve the implementation (DLL, executable, etc.) and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/08/17"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/15"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -34,14 +34,14 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file
|
||||
modifications, and any spawned child processes.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.
|
||||
- Inspect the host for suspicious or abnormal behavior in the alert timeframe.
|
||||
- Retrieve the parent process executable and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/08/14"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/15"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -16,10 +16,58 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Execution via MSSQL xp_cmdshell Stored Procedure"
|
||||
note = """## Setup
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating Execution via MSSQL xp_cmdshell Stored Procedure
|
||||
|
||||
Microsoft SQL Server (MSSQL) has procedures meant to extend its functionality, the Extended Stored Procedures. These
|
||||
procedures are external functions written in C/C++; some provide interfaces for external programs. This is the case for
|
||||
xp_cmdshell, which spawns a Windows command shell and passes in a string for execution. Attackers can use this to
|
||||
execute commands on the system running the SQL server, commonly to escalate their privileges and establish persistence.
|
||||
|
||||
The xp_cmdshell procedure is disabled by default, but when used, it has the same security context as the MSSQL Server
|
||||
service account, which is often privileged.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network
|
||||
connections.
|
||||
- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,
|
||||
and any spawned child processes.
|
||||
- Examine the command line to determine if the command executed is potentially harmful or malicious.
|
||||
- Inspect the host for suspicious or abnormal behavior in the alert timeframe.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
- This mechanism can be used legitimately, but it brings inherent risk. The security team must monitor any activity of
|
||||
it. If recurrent tasks are being executed using this mechanism, consider adding exceptions — preferably with a full
|
||||
command line.
|
||||
|
||||
### Response and remediation
|
||||
|
||||
- Initiate the incident response process based on the outcome of the triage.
|
||||
- Isolate the involved hosts to prevent further post-compromise behavior.
|
||||
- Remove and block malicious artifacts identified during triage.
|
||||
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
|
||||
identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
|
||||
systems, and web services.
|
||||
- Ensure that SQL servers are not directly exposed to the internet. If there is a business justification for such, use
|
||||
an allowlist to allow only connections from known legitimate sources.
|
||||
- Disable the xp_cmdshell stored procedure.
|
||||
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
|
||||
malware components.
|
||||
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
|
||||
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
|
||||
mean time to respond (MTTR).
|
||||
|
||||
## Setup
|
||||
|
||||
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
|
||||
"""
|
||||
references = ["https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/"]
|
||||
risk_score = 73
|
||||
rule_id = "4ed493fc-d637-4a36-80ff-ac84937e5461"
|
||||
severity = "high"
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/15"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -43,7 +43,7 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Use process name, command line, and file hash to search for occurrences in other hosts.
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2021/07/19"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/15"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic", "Austin Songer"]
|
||||
@@ -42,7 +42,7 @@ copy objects, and delete them.
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Use process name, command line, and file hash to search for occurrences in other hosts.
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/15"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -42,7 +42,7 @@ This rule monitors the execution of `wmic.exe` to interact with VSS via the `sha
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Use process name, command line, and file hash to search for occurrences in other hosts.
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/15"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -39,7 +39,7 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
- Determine how the script file was delivered (email attachment, dropped by other processes, etc.).
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/15"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -42,7 +42,7 @@ but are not limited to, the Downloads and Document folders and the folder config
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/15"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -39,7 +39,7 @@ locations include but are not limited to, the Downloads and Document folders and
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/07/16"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/13"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -46,8 +46,8 @@ similar remote code execution vulnerability in the DNS server.
|
||||
`regsvr32.exe`, `rundll32.exe`, `wscript.exe`, `wmic.exe`.
|
||||
- If a denial-of-service (DoS) exploit is successful and DNS Server service crashes, be mindful of potential child processes related to
|
||||
`werfault.exe` occurring.
|
||||
- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file
|
||||
modifications, and any spawned child processes.
|
||||
- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,
|
||||
and any spawned child processes.
|
||||
- Investigate other alerts associated with the host during the past 48 hours.
|
||||
- Check whether the server is vulnerable to CVE-2020-1350.
|
||||
- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/13"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -33,15 +33,15 @@ port scanners, exploits, and tools used to move laterally on the environment.
|
||||
for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Contact the account owner and confirm whether they are aware of this activity.
|
||||
- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file
|
||||
modifications, and any spawned child processes.
|
||||
- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,
|
||||
and any spawned child processes.
|
||||
- Retrieve the process executable and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/11/10"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/13"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -37,7 +37,7 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/11/16"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/15"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -16,6 +16,67 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Remotely Started Services via RPC"
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating Remotely Started Services via RPC
|
||||
|
||||
The Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service
|
||||
programs running on a remote computer. A remote service management session begins with the client initiating the
|
||||
connection request to the server. If the server grants the request, the connection is established. The client can then
|
||||
make multiple requests to modify, query the configuration, or start and stop services on the server by using the same
|
||||
session until the session is terminated.
|
||||
|
||||
This rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the
|
||||
spawn of a child process.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the
|
||||
`source.address` field to help identify the source system.
|
||||
- Review network events from the source system using the source port identified on the alert and try to identify the
|
||||
program used to initiate the action.
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
|
||||
- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,
|
||||
and any spawned child processes.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate
|
||||
software installations.
|
||||
- Retrieve the process executable and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions.
|
||||
|
||||
### Response and remediation
|
||||
|
||||
- Initiate the incident response process based on the outcome of the triage.
|
||||
- Isolate the involved hosts to prevent further post-compromise behavior.
|
||||
- If the triage identified malware, search the environment for additional compromised hosts.
|
||||
- Implement temporary network rules, procedures, and segmentation to contain the malware.
|
||||
- Stop suspicious processes.
|
||||
- Immediately block the identified indicators of compromise (IoCs).
|
||||
- Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
|
||||
attackers could use to reinfect the system.
|
||||
- Remove and block malicious artifacts identified during triage.
|
||||
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
|
||||
identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
|
||||
systems, and web services.
|
||||
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
|
||||
malware components.
|
||||
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
|
||||
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
|
||||
mean time to respond (MTTR).
|
||||
"""
|
||||
references = ["https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f"]
|
||||
risk_score = 47
|
||||
rule_id = "aa9a274d-6b53-424d-ac5e-cb8ca4251650"
|
||||
severity = "medium"
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/13"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -33,7 +33,7 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2021/03/15"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/13"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -39,14 +39,14 @@ installations.
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based
|
||||
on new software installations, patches, or other network administrator activity. Before entering further investigation,
|
||||
on new software installations, patches, or other network administrator activity. Before undertaking further investigation,
|
||||
it should be verified that this activity is not benign.
|
||||
|
||||
### Related rules
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/15"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -45,7 +45,7 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
[metadata]
|
||||
creation_date = "2020/11/18"
|
||||
maturity = "production"
|
||||
updated_date = "2022/08/24"
|
||||
updated_date = "2022/09/20"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
|
||||
@@ -17,6 +17,66 @@ index = ["logs-endpoint.events.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Startup or Run Key Registry Modification"
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating Startup or Run Key Registry Modification
|
||||
|
||||
Adversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys
|
||||
in the registry will cause the program referenced to be executed when a user logs in. These programs will executed
|
||||
under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring
|
||||
a range of registry run keys.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate
|
||||
software installations.
|
||||
- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
|
||||
- Retrieve the process executable and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be
|
||||
based on new software installations, patches, or any kind of network administrator related activity. Before undertaking
|
||||
further investigation, verify that this activity is not benign.
|
||||
|
||||
### Related rules
|
||||
|
||||
- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff
|
||||
- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0
|
||||
- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f
|
||||
- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde
|
||||
|
||||
### Response and remediation
|
||||
|
||||
- Initiate the incident response process based on the outcome of the triage.
|
||||
- Isolate the involved host to prevent further post-compromise behavior.
|
||||
- If the triage identified malware, search the environment for additional compromised hosts.
|
||||
- Implement temporary network rules, procedures, and segmentation to contain the malware.
|
||||
- Stop suspicious processes.
|
||||
- Immediately block the identified indicators of compromise (IoCs).
|
||||
- Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
|
||||
attackers could use to reinfect the system.
|
||||
- Remove and block malicious artifacts identified during triage.
|
||||
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
|
||||
identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
|
||||
systems, and web services.
|
||||
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
|
||||
malware components.
|
||||
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
|
||||
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
|
||||
mean time to respond (MTTR).
|
||||
"""
|
||||
risk_score = 21
|
||||
rule_id = "97fc44d3-8dae-4019-ae83-298c3015600f"
|
||||
severity = "low"
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/11/18"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/13"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -39,7 +39,7 @@ software installations.
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/11/29"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/15"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -39,14 +39,14 @@ software installations.
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
- There is a high possibility of benign legitimate programs being added to Startup folders. This activity could be based
|
||||
on new software installations, patches, or any kind of network administrator related activity. Before entering further
|
||||
on new software installations, patches, or any kind of network administrator related activity. Before undertaking further
|
||||
investigation, verify that this activity is not benign.
|
||||
|
||||
### Related rules
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/11/18"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/13"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -39,7 +39,7 @@ software installations.
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/11/18"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/13"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -35,7 +35,7 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/08/17"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/08/24"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -16,7 +16,61 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Persistence via Update Orchestrator Service Hijack"
|
||||
note = """## Setup
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating Persistence via Update Orchestrator Service Hijack
|
||||
|
||||
Windows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are
|
||||
already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local
|
||||
system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server
|
||||
Core products. Fixed by Microsoft on Patch Tuesday June 2020.
|
||||
|
||||
This rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters.
|
||||
Attackers can leverage this technique to elevate privileges or maintain persistence.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
|
||||
- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,
|
||||
and any spawned child processes.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
|
||||
- Retrieve the process executable and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.
|
||||
|
||||
### Response and remediation
|
||||
|
||||
- Initiate the incident response process based on the outcome of the triage.
|
||||
- Isolate the involved host to prevent further post-compromise behavior.
|
||||
- If the triage identified malware, search the environment for additional compromised hosts.
|
||||
- Implement temporary network rules, procedures, and segmentation to contain the malware.
|
||||
- Stop suspicious processes.
|
||||
- Immediately block the identified indicators of compromise (IoCs).
|
||||
- Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
|
||||
attackers could use to reinfect the system.
|
||||
- Remove and block malicious artifacts identified during triage.
|
||||
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
|
||||
identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
|
||||
systems, and web services.
|
||||
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
|
||||
malware components.
|
||||
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
|
||||
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
|
||||
mean time to respond (MTTR).
|
||||
|
||||
## Setup
|
||||
|
||||
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
|
||||
"""
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2021/08/24"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/08/24"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -18,10 +18,60 @@ from = "now-9m"
|
||||
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Webshell Detection: Script Process Child of Common Web Processes"
|
||||
name = "Web Shell Detection: Script Process Child of Common Web Processes"
|
||||
note = """## Triage and analysis
|
||||
|
||||
Detections should be investigated to identify if the activity corresponds to legitimate activity. As this rule detects post-exploitation process activity, investigations into this should be prioritized.
|
||||
### Investigating Web Shell Detection: Script Process Child of Common Web Processes
|
||||
|
||||
Adversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a web
|
||||
script that is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a
|
||||
network. A web shell may provide a set of functions to execute or a command-line interface on the system that hosts the
|
||||
web server.
|
||||
|
||||
This rule detects a web server process spawning script and command-line interface programs, potentially indicating
|
||||
attackers executing commands using the web shell.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file
|
||||
modifications, and any other spawned child processes.
|
||||
- Examine the command line to determine which commands or scripts were executed.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
|
||||
- If scripts or executables were dropped, retrieve the files and determine if they are malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently
|
||||
malicious must be monitored by the security team.
|
||||
|
||||
### Response and remediation
|
||||
|
||||
- Initiate the incident response process based on the outcome of the triage.
|
||||
- Isolate the involved host to prevent further post-compromise behavior.
|
||||
- If the triage identified malware, search the environment for additional compromised hosts.
|
||||
- Implement temporary network rules, procedures, and segmentation to contain the malware.
|
||||
- Stop suspicious processes.
|
||||
- Immediately block the identified indicators of compromise (IoCs).
|
||||
- Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
|
||||
attackers could use to reinfect the system.
|
||||
- Remove and block malicious artifacts identified during triage.
|
||||
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
|
||||
identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
|
||||
systems, and web services.
|
||||
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
|
||||
malware components.
|
||||
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
|
||||
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
|
||||
mean time to respond (MTTR).
|
||||
|
||||
## Setup
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2021/11/25"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/13"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -40,7 +40,7 @@ for prevalence, whether they are located in expected locations, and if they are
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/01/07"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/08/24"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -17,7 +17,56 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Suspicious DLL Loaded for Persistence or Privilege Escalation"
|
||||
note = """## Setup
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating Suspicious DLL Loaded for Persistence or Privilege Escalation
|
||||
|
||||
Attackers can execute malicious code by abusing missing modules that processes try to load, enabling them to escalate
|
||||
privileges or gain persistence. This rule identifies the loading of a non-Microsoft-signed DLL that is missing on a
|
||||
default Windows installation or one that can be loaded from a different location by a native Windows process.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Examine the DLL signature and identify the process that created it.
|
||||
- Investigate any abnormal behaviors by the process such as network connections, registry or file modifications, and
|
||||
any spawned child processes.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Retrieve the DLL and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently
|
||||
malicious must be monitored by the security team.
|
||||
|
||||
### Response and remediation
|
||||
|
||||
- Initiate the incident response process based on the outcome of the triage.
|
||||
- Isolate the involved host to prevent further post-compromise behavior.
|
||||
- If the triage identified malware, search the environment for additional compromised hosts.
|
||||
- Implement temporary network rules, procedures, and segmentation to contain the malware.
|
||||
- Stop suspicious processes.
|
||||
- Immediately block the identified indicators of compromise (IoCs).
|
||||
- Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
|
||||
attackers could use to reinfect the system.
|
||||
- Remove and block malicious artifacts identified during triage.
|
||||
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
|
||||
malware components.
|
||||
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
|
||||
identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
|
||||
systems, and web services.
|
||||
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
|
||||
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
|
||||
mean time to respond (MTTR).
|
||||
|
||||
## Setup
|
||||
|
||||
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
|
||||
"""
|
||||
|
||||
@@ -3,22 +3,73 @@ creation_date = "2020/08/14"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/08/24"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including
|
||||
CVE-2020-1048 and CVE-2020-1337. .
|
||||
CVE-2020-1048 and CVE-2020-1337.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Suspicious PrintSpooler SPL File Created"
|
||||
note = """## Threat intel
|
||||
name = "Suspicious Print Spooler SPL File Created"
|
||||
note = """## Triage and analysis
|
||||
|
||||
Refer to CVEs, CVE-2020-1048 and CVE-2020-1337 for further information on the vulnerability and exploit. Verify that the relevant system is patched.
|
||||
### Investigating Suspicious Print Spooler SPL File Created
|
||||
|
||||
Print Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs
|
||||
by loading printer drivers, receiving files to be printed, queuing them, scheduling, etc.
|
||||
|
||||
The Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like
|
||||
CVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location
|
||||
`?:\\Windows\\System32\\spool\\PRINTERS\\`, which is an essential step in exploiting these vulnerabilities.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
|
||||
- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,
|
||||
and any spawned child processes.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Inspect the host for suspicious or abnormal behavior in the alert timeframe.
|
||||
- Retrieve the process executable and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination
|
||||
of process executable and file conditions.
|
||||
|
||||
### Response and remediation
|
||||
|
||||
- Initiate the incident response process based on the outcome of the triage.
|
||||
- Isolate the involved host to prevent further post-compromise behavior.
|
||||
- If the triage identified malware, search the environment for additional compromised hosts.
|
||||
- Implement temporary network rules, procedures, and segmentation to contain the malware.
|
||||
- Stop suspicious processes.
|
||||
- Immediately block the identified indicators of compromise (IoCs).
|
||||
- Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
|
||||
attackers could use to reinfect the system.
|
||||
- Remove and block malicious artifacts identified during triage.
|
||||
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
|
||||
malware components.
|
||||
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
|
||||
identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
|
||||
systems, and web services.
|
||||
- Ensure that the machine has the latest security updates and is not running legacy Windows versions.
|
||||
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
|
||||
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
|
||||
mean time to respond (MTTR).
|
||||
|
||||
## Setup
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/03/17"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/15"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -38,16 +38,16 @@ UAC prompt being displayed to the user. This rule detects this UAC bypass by mon
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.
|
||||
- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file
|
||||
modifications, and any spawned child processes.
|
||||
- Inspect the host for suspicious or abnormal behavior in the alert timeframe.
|
||||
- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,
|
||||
and any spawned child processes.
|
||||
- Retrieve the process executable and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/10/26"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/15"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -35,16 +35,16 @@ directory. Attackers may bypass UAC to stealthily execute code with elevated per
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.
|
||||
- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file
|
||||
modifications, and any spawned child processes.
|
||||
- Inspect the host for suspicious or abnormal behavior in the alert timeframe.
|
||||
- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,
|
||||
and any spawned child processes.
|
||||
- If any of the spawned processes are suspicious, retrieve them and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/10/14"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/15"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -35,16 +35,16 @@ Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with e
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.
|
||||
- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file
|
||||
modifications, and any spawned child processes.
|
||||
- Inspect the host for suspicious or abnormal behavior in the alert timeframe.
|
||||
- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,
|
||||
and any spawned child processes.
|
||||
- If any of the spawned processes are suspicious, retrieve them and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2020/02/18"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/15"
|
||||
updated_date = "2022/09/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -31,15 +31,15 @@ This rule uses this information to spot suspicious parent and child processes.
|
||||
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
|
||||
for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file
|
||||
modifications, and any spawned child processes.
|
||||
- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications,
|
||||
and any spawned child processes.
|
||||
- Retrieve the process executable and determine if it is malicious:
|
||||
- Use a private sandboxed malware analysis system to perform analysis.
|
||||
- Observe and collect information about the following activities:
|
||||
- Attempts to contact external domains and addresses.
|
||||
- File and registry access, modification, and creation activities.
|
||||
- Service creation and launch activities.
|
||||
- Scheduled tasks creation.
|
||||
- Scheduled task creation.
|
||||
- Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
|
||||
- Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user