From f02ffbbe13353c8653ae03867290a9d35a1f2730 Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Fri, 23 Sep 2022 14:44:24 -0700 Subject: [PATCH] [Security Content] Add Investigation Guides - 8.5 (#2305) * [Security Content] Add Investigation Guides - 8.5 * Update persistence_run_key_and_startup_broad.toml * Apply suggestions from security-docs review review * Update execution_suspicious_jar_child_process.toml * Apply suggestions from review --- ...xecution_suspicious_jar_child_process.toml | 42 ++++++++++++- ...d_control_certutil_network_connection.toml | 4 +- ...ommand_and_control_common_webservices.toml | 4 +- ...ol_remote_file_copy_desktopimgdownldr.toml | 4 +- ...and_control_remote_file_copy_mpcmdrun.toml | 4 +- ...d_control_remote_file_copy_powershell.toml | 4 +- ..._and_control_remote_file_copy_scripts.toml | 4 +- ...control_sunburst_c2_activity_detected.toml | 4 +- ...d_control_teamviewer_remote_file_copy.toml | 4 +- ...ial_access_credential_dumping_msbuild.toml | 4 +- ..._access_kerberoasting_unusual_process.toml | 4 +- ...al_access_lsass_memdump_handle_access.toml | 4 +- ..._access_mod_wdigest_security_provider.toml | 4 +- .../defense_evasion_amsienable_key_mod.toml | 4 +- ...e_evasion_create_mod_root_certificate.toml | 4 +- ...ion_defender_exclusion_via_powershell.toml | 4 +- ...n_enable_network_discovery_with_netsh.toml | 4 +- ...ecution_msbuild_started_by_office_app.toml | 4 +- ...e_evasion_ms_office_suspicious_regmod.toml | 4 +- .../defense_evasion_posh_assembly_load.toml | 4 +- .../defense_evasion_posh_compressed.toml | 4 +- ..._powershell_windows_firewall_disabled.toml | 4 +- ...picious_process_access_direct_syscall.toml | 8 +-- ..._critical_proc_abnormal_file_activity.toml | 8 +-- ...nse_evasion_unusual_ads_file_creation.toml | 63 ++++++++++++++++++- rules/windows/discovery_admin_recon.toml | 8 +-- rules/windows/discovery_net_view.toml | 8 +-- .../windows/discovery_peripheral_device.toml | 8 +-- ...very_privileged_localgroup_membership.toml | 10 +-- ...ote_system_discovery_commands_windows.toml | 8 +-- .../discovery_security_software_wmic.toml | 8 +-- .../discovery_whoami_command_activity.toml | 8 +-- ...tion_command_shell_started_by_svchost.toml | 8 +-- .../execution_from_unusual_path_cmdline.toml | 46 +++++++++++++- .../execution_ms_office_written_file.toml | 4 +- rules/windows/execution_pdf_written_file.toml | 4 +- .../execution_posh_portable_executable.toml | 4 +- rules/windows/execution_posh_psreflect.toml | 4 +- .../execution_suspicious_pdf_reader.toml | 4 +- ...ecution_suspicious_powershell_imgload.toml | 6 +- .../execution_via_hidden_shell_conhost.toml | 6 +- ...ia_xp_cmdshell_mssql_stored_procedure.toml | 52 ++++++++++++++- ...copy_deletion_or_resized_via_vssadmin.toml | 4 +- ...e_shadow_copy_deletion_via_powershell.toml | 4 +- ..._volume_shadow_copy_deletion_via_wmic.toml | 4 +- ...al_access_script_executing_powershell.toml | 4 +- ...ss_suspicious_ms_office_child_process.toml | 4 +- ...s_suspicious_ms_outlook_child_process.toml | 4 +- ...l_access_unusual_dns_service_children.toml | 6 +- ...vement_direct_outbound_smb_connection.toml | 8 +-- ...movement_executable_tool_transfer_smb.toml | 4 +- .../lateral_movement_remote_services.toml | 63 ++++++++++++++++++- .../persistence_adobe_hijack_persistence.toml | 4 +- ...egistry_startup_shell_folder_modified.toml | 6 +- ...escalation_via_accessibility_features.toml | 4 +- ...persistence_run_key_and_startup_broad.toml | 62 +++++++++++++++++- ...er_file_written_by_suspicious_process.toml | 4 +- ...lder_file_written_by_unsigned_process.toml | 6 +- .../persistence_startup_folder_scripts.toml | 4 +- ...stence_suspicious_com_hijack_registry.toml | 4 +- ...ia_update_orchestrator_service_hijack.toml | 58 ++++++++++++++++- .../persistence_webshell_detection.toml | 56 ++++++++++++++++- ...rivilege_escalation_installertakeover.toml | 4 +- ...ge_escalation_persistence_phantom_dll.toml | 53 +++++++++++++++- ...tion_printspooler_suspicious_spl_file.toml | 61 ++++++++++++++++-- ...ge_escalation_uac_bypass_event_viewer.toml | 10 +-- ...ege_escalation_uac_bypass_mock_windir.toml | 10 +-- ...scalation_uac_bypass_winfw_mmc_hijack.toml | 10 +-- ...tion_unusual_parentchild_relationship.toml | 8 +-- 69 files changed, 692 insertions(+), 178 deletions(-) mode change 100755 => 100644 rules/windows/credential_access_credential_dumping_msbuild.toml diff --git a/rules/cross-platform/execution_suspicious_jar_child_process.toml b/rules/cross-platform/execution_suspicious_jar_child_process.toml index 11963546d..02222e9bf 100644 --- a/rules/cross-platform/execution_suspicious_jar_child_process.toml +++ b/rules/cross-platform/execution_suspicious_jar_child_process.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -16,7 +16,45 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Suspicious JAVA Child Process" -note = """## Setup +note = """## Triage and analysis + +### Investigating Suspicious Java Child Process + +This rule identifies a suspicious child process of the Java interpreter process. It may indicate an attempt to execute +a malicious JAR file or an exploitation attempt via a Java specific vulnerability. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence and whether they are located in expected locations. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network +connections. +- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any +spawned child processes. +- Examine the command line to determine if the command executed is potentially harmful or malicious. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. + +### False positive analysis + +- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination +of process and command line conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/command_and_control_certutil_network_connection.toml b/rules/windows/command_and_control_certutil_network_connection.toml index 9c581cd70..78c5687fd 100644 --- a/rules/windows/command_and_control_certutil_network_connection.toml +++ b/rules/windows/command_and_control_certutil_network_connection.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -39,7 +39,7 @@ prevalence, whether they are located in expected locations, and if they are sign - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index e9f5febbf..5befdbbdf 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -42,7 +42,7 @@ prevalence, whether they are located in expected locations, and if they are sign - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index dd4cc26a4..c6aec2af8 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/03" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -43,7 +43,7 @@ from an internal system. - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index a17881b18..c1c8463fa 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/03" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -38,7 +38,7 @@ for prevalence, whether they are located in expected locations, and if they are - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/command_and_control_remote_file_copy_powershell.toml b/rules/windows/command_and_control_remote_file_copy_powershell.toml index bc1fcdb5b..b29ec83e6 100644 --- a/rules/windows/command_and_control_remote_file_copy_powershell.toml +++ b/rules/windows/command_and_control_remote_file_copy_powershell.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/30" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -39,7 +39,7 @@ for prevalence, whether they are located in expected locations, and if they are - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/command_and_control_remote_file_copy_scripts.toml b/rules/windows/command_and_control_remote_file_copy_scripts.toml index 4f6123352..ff4bc1499 100644 --- a/rules/windows/command_and_control_remote_file_copy_scripts.toml +++ b/rules/windows/command_and_control_remote_file_copy_scripts.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/29" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -38,7 +38,7 @@ for prevalence, whether they are located in expected locations, and if they are - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Manually analyze the script to determine if malicious capabilities are present. diff --git a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml index b74b5795d..e02d7c122 100644 --- a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml +++ b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -44,7 +44,7 @@ for prevalence, whether they are located in expected locations, and if they are - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate whether the potential malware ran successfully, is active on the host, or was stopped by defenses. diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index eeee64c3b..2f40b9934 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/02" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -38,7 +38,7 @@ access. - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml old mode 100755 new mode 100644 index 6db7ebeea..11e61bb67 --- a/rules/windows/credential_access_credential_dumping_msbuild.toml +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -46,7 +46,7 @@ modifications, and any spawned child processes. - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target diff --git a/rules/windows/credential_access_kerberoasting_unusual_process.toml b/rules/windows/credential_access_kerberoasting_unusual_process.toml index 0e24e77b0..2f18c66a4 100644 --- a/rules/windows/credential_access_kerberoasting_unusual_process.toml +++ b/rules/windows/credential_access_kerberoasting_unusual_process.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/02" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -45,7 +45,7 @@ for prevalence, whether they are located in expected locations, and if they are - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/credential_access_lsass_memdump_handle_access.toml b/rules/windows/credential_access_lsass_memdump_handle_access.toml index 306f56f50..ab185579e 100644 --- a/rules/windows/credential_access_lsass_memdump_handle_access.toml +++ b/rules/windows/credential_access_lsass_memdump_handle_access.toml @@ -3,7 +3,7 @@ creation_date = "2022/02/16" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -44,7 +44,7 @@ for prevalence, whether they are located in expected locations, and if they are - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index 826e59878..5cb3e7ac1 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -44,7 +44,7 @@ prevalence, whether they are located in expected locations, and if they are sign - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Use process name, command line, and file hash to search for occurrences on other hosts. diff --git a/rules/windows/defense_evasion_amsienable_key_mod.toml b/rules/windows/defense_evasion_amsienable_key_mod.toml index db022f09e..2d59eb344 100644 --- a/rules/windows/defense_evasion_amsienable_key_mod.toml +++ b/rules/windows/defense_evasion_amsienable_key_mod.toml @@ -3,7 +3,7 @@ creation_date = "2021/06/01" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -42,7 +42,7 @@ for prevalence, whether they are located in expected locations, and if they are - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Use process name, command line, and file hash to search for occurrences on other hosts. diff --git a/rules/windows/defense_evasion_create_mod_root_certificate.toml b/rules/windows/defense_evasion_create_mod_root_certificate.toml index 728faba21..d16e3ff03 100644 --- a/rules/windows/defense_evasion_create_mod_root_certificate.toml +++ b/rules/windows/defense_evasion_create_mod_root_certificate.toml @@ -3,7 +3,7 @@ creation_date = "2021/02/01" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -45,7 +45,7 @@ modifications, and any spawned child processes. - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index 41a503421..c761b30be 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -3,7 +3,7 @@ creation_date = "2021/07/20" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -40,7 +40,7 @@ for prevalence, whether they are located in expected locations, and if they are - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml index 491be5199..64fd5cc3e 100644 --- a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml @@ -3,7 +3,7 @@ creation_date = "2021/07/07" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ for prevalence, whether they are located in expected locations, and if they are - Identify the user account that performed the action and whether it should perform this kind of action. - Contact the account owner and confirm whether they are aware of this activity. - Investigate other alerts associated with the user/host during the past 48 hours. -- Inspect the host for suspicious or abnormal behaviors in the alert timeframe. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. ### False positive analysis diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index 8a6ceecc1..37b9abc23 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -53,7 +53,7 @@ but are not limited to, the Downloads and Document folders and the folder config - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml index 8c4d1cd37..e66b05b39 100644 --- a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml +++ b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml @@ -3,7 +3,7 @@ creation_date = "2022/01/12" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -55,7 +55,7 @@ for prevalence, whether they are located in expected locations, and if they are - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/defense_evasion_posh_assembly_load.toml b/rules/windows/defense_evasion_posh_assembly_load.toml index f5cfd2c8d..26670787a 100644 --- a/rules/windows/defense_evasion_posh_assembly_load.toml +++ b/rules/windows/defense_evasion_posh_assembly_load.toml @@ -3,7 +3,7 @@ creation_date = "2021/10/15" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -41,7 +41,7 @@ prevalence, whether they are located in expected locations, and if they are sign - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/defense_evasion_posh_compressed.toml b/rules/windows/defense_evasion_posh_compressed.toml index 752799620..54b27a874 100644 --- a/rules/windows/defense_evasion_posh_compressed.toml +++ b/rules/windows/defense_evasion_posh_compressed.toml @@ -3,7 +3,7 @@ creation_date = "2021/10/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -42,7 +42,7 @@ prevalence, whether they are located in expected locations, and if they are sign - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml index 142f4498b..8f4c49c18 100644 --- a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml @@ -3,7 +3,7 @@ creation_date = "2021/10/15" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/20" [rule] author = ["Austin Songer"] @@ -42,7 +42,7 @@ for prevalence, whether they are located in expected locations, and if they are - Identify the user account that performed the action and whether it should perform this kind of action. - Contact the account owner and confirm whether they are aware of this activity. - Investigate other alerts associated with the user/host during the past 48 hours. -- Inspect the host for suspicious or abnormal behaviors in the alert timeframe. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. ### False positive analysis diff --git a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml index e98b219ca..2da0050e5 100644 --- a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml +++ b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml @@ -3,7 +3,7 @@ creation_date = "2021/10/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -34,15 +34,15 @@ calls to bypass security solutions that rely on hooks. - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. - Investigate other alerts associated with the user/host during the past 48 hours. -- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file -modifications, and any spawned child processes. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, +and any spawned child processes. - Retrieve the process executable and determine if it is malicious: - Use a private sandboxed malware analysis system to perform analysis. - Observe and collect information about the following activities: - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index 5ac0e95bc..470bd218b 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -31,15 +31,15 @@ of a vulnerability or a malicious process masquerading as a system-critical proc - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. - Investigate other alerts associated with the user/host during the past 48 hours. -- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file -modifications, and any spawned child processes. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, +and any spawned child processes. - Retrieve the process executable and determine if it is malicious: - Use a private sandboxed malware analysis system to perform analysis. - Observe and collect information about the following activities: - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml index 004e22e66..a56ecd5d0 100644 --- a/rules/windows/defense_evasion_unusual_ads_file_creation.toml +++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -16,7 +16,66 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Unusual File Creation - Alternate Data Stream" -note = """## Setup +note = """## Triage and analysis + +### Investigating Unusual File Creation - Alternate Data Stream + +Alternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are +built up from a couple of attributes; one of them is $Data, also known as the data attribute. + +The regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, +contains the data inside the file. So any data stream that has a name is considered an alternate data stream. + +Attackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the +creation of alternate data streams on highly targeted file types. + +#### Possible investigation steps + +- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the +following PowerShell cmdlet to accomplish this: + - `Get-Content -file C:\\Path\\To\\file.exe -stream ADSname` +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, +and any spawned child processes. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Retrieve the process executable and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination +of process executable and file conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index 76bc09952..d59f4d41d 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -34,8 +34,8 @@ as mapping targets for credential compromise and other post-exploitation activit for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. - Identify the user account that performed the action and whether it should perform this kind of action. - Investigate other alerts associated with the user/host during the past 48 hours. -- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and -network connections. +- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network +connections. ### False positive analysis @@ -55,7 +55,7 @@ identified. Reset passwords for these accounts and other potentially compromised systems, and web services. - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. -- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). diff --git a/rules/windows/discovery_net_view.toml b/rules/windows/discovery_net_view.toml index 6b9344997..12a7055f6 100644 --- a/rules/windows/discovery_net_view.toml +++ b/rules/windows/discovery_net_view.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -31,8 +31,8 @@ valuable shared data. for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. - Identify the user account that performed the action and whether it should perform this kind of action. - Investigate other alerts associated with the user/host during the past 48 hours. -- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and -network connections. +- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network +connections. ### False positive analysis @@ -48,7 +48,7 @@ identified. Reset passwords for these accounts and other potentially compromised systems, and web services. - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. -- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). diff --git a/rules/windows/discovery_peripheral_device.toml b/rules/windows/discovery_peripheral_device.toml index 344bc51bc..b483a3d2c 100644 --- a/rules/windows/discovery_peripheral_device.toml +++ b/rules/windows/discovery_peripheral_device.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/02" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -34,8 +34,8 @@ media. These devices can contain valuable information for attackers. for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. - Identify the user account that performed the action and whether it should perform this kind of action. - Investigate other alerts associated with the user/host during the past 48 hours. -- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and -network connections. +- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network +connections. - Determine whether this activity was followed by suspicious file access/copy operations or uploads to file storage services. @@ -53,7 +53,7 @@ identified. Reset passwords for these accounts and other potentially compromised systems, and web services. - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. -- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml index 373b7ac4b..1ce5bf8ad 100644 --- a/rules/windows/discovery_privileged_localgroup_membership.toml +++ b/rules/windows/discovery_privileged_localgroup_membership.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/15" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -34,8 +34,8 @@ such as mapping targets for credential compromise and other post-exploitation ac - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. - Investigate other alerts associated with the user/host during the past 48 hours. -- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and -network connections. +- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network +connections. - Retrieve the process executable and determine if it is malicious: - Check if the file belongs to the operating system or has a valid digital signature. - Use a private sandboxed malware analysis system to perform analysis. @@ -43,7 +43,7 @@ network connections. - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. ### False positive analysis @@ -61,7 +61,7 @@ identified. Reset passwords for these accounts and other potentially compromised systems, and web services. - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. -- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). diff --git a/rules/windows/discovery_remote_system_discovery_commands_windows.toml b/rules/windows/discovery_remote_system_discovery_commands_windows.toml index 6a36517f8..4430e9444 100644 --- a/rules/windows/discovery_remote_system_discovery_commands_windows.toml +++ b/rules/windows/discovery_remote_system_discovery_commands_windows.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -30,8 +30,8 @@ which is useful for attackers to identify lateral movement targets. for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. - Identify the user account that performed the action and whether it should perform this kind of action. - Investigate other alerts associated with the user/host during the past 48 hours. -- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and -network connections. +- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network +connections. ### False positive analysis @@ -47,7 +47,7 @@ identified. Reset passwords for these accounts and other potentially compromised systems, and web services. - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. -- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). diff --git a/rules/windows/discovery_security_software_wmic.toml b/rules/windows/discovery_security_software_wmic.toml index b95d3263b..e561d847c 100644 --- a/rules/windows/discovery_security_software_wmic.toml +++ b/rules/windows/discovery_security_software_wmic.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -34,8 +34,8 @@ protections, use bypasses, etc. for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. - Identify the user account that performed the action and whether it should perform this kind of action. - Investigate other alerts associated with the user/host during the past 48 hours. -- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and -network connections. +- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network +connections. ### False positive analysis @@ -51,7 +51,7 @@ identified. Reset passwords for these accounts and other potentially compromised systems, and web services. - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. -- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index e9b810977..f5e556e8c 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -39,8 +39,8 @@ privileges, discover the current user, determine if a privilege escalation was s for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. - Identify the user account that performed the action and whether it should perform this kind of action. - Investigate other alerts associated with the user/host during the past 48 hours. -- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and -network connections. +- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network +connections. ### False positive analysis @@ -60,7 +60,7 @@ identified. Reset passwords for these accounts and other potentially compromised systems, and web services. - Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. -- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index 2f9d94efb..2537d9816 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/09/13" +updated_date = "2022/09/20" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -30,15 +30,15 @@ escalation. - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. - Investigate other alerts associated with the user/host during the past 48 hours. -- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file -modifications, and any spawned child processes. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, +and any spawned child processes. - Retrieve the process executable and determine if it is malicious: - Use a private sandboxed malware analysis system to perform analysis. - Observe and collect information about the following activities: - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index bf8729530..bcddd7017 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/30" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -18,6 +18,50 @@ license = "Elastic License v2" name = "Execution from Unusual Directory - Command Line" note = """## Triage and analysis +### Investigating Execution from Unusual Directory - Command Line + +This rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to +hide malware and make the execution less suspicious. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Examine the command line to determine which commands or scripts were executed. +- Retrieve the script and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination +of parent process executable and command line conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + + This is related to the `Process Execution from an Unusual Directory rule`. ## Setup diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml index 14997c14e..3684fad02 100644 --- a/rules/windows/execution_ms_office_written_file.toml +++ b/rules/windows/execution_ms_office_written_file.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/02" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -43,7 +43,7 @@ but are not limited to, the Downloads and Document folders and the folder config - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/execution_pdf_written_file.toml b/rules/windows/execution_pdf_written_file.toml index e6cbb4a8c..e925b96da 100644 --- a/rules/windows/execution_pdf_written_file.toml +++ b/rules/windows/execution_pdf_written_file.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/02" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -42,7 +42,7 @@ but are not limited to, the Downloads and Document folders and the folder config - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/execution_posh_portable_executable.toml b/rules/windows/execution_posh_portable_executable.toml index baa391cdc..232c7aa6e 100644 --- a/rules/windows/execution_posh_portable_executable.toml +++ b/rules/windows/execution_posh_portable_executable.toml @@ -3,7 +3,7 @@ creation_date = "2021/10/15" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -40,7 +40,7 @@ prevalence, whether they are located in expected locations, and if they are sign - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/execution_posh_psreflect.toml b/rules/windows/execution_posh_psreflect.toml index 7841a8c07..d435b83ac 100644 --- a/rules/windows/execution_posh_psreflect.toml +++ b/rules/windows/execution_posh_psreflect.toml @@ -3,7 +3,7 @@ creation_date = "2021/10/15" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -50,7 +50,7 @@ prevalence, whether they are located in expected locations, and if they are sign - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index 4492b3921..306d06b4f 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/30" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -39,7 +39,7 @@ are not limited to, the Downloads and Document folders and the folder configured - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index b178b8c0a..2ef227d9e 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/17" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -34,14 +34,14 @@ for prevalence, whether they are located in expected locations, and if they are - Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes. - Investigate other alerts associated with the user/host during the past 48 hours. -- Inspect the host for suspicious or abnormal behaviors in the alert timeframe. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. - Retrieve the implementation (DLL, executable, etc.) and determine if it is malicious: - Use a private sandboxed malware analysis system to perform analysis. - Observe and collect information about the following activities: - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index 9ed74d400..f767b2b97 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/17" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -34,14 +34,14 @@ for prevalence, whether they are located in expected locations, and if they are - Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes. - Investigate other alerts associated with the user/host during the past 48 hours. -- Inspect the host for suspicious or abnormal behaviors in the alert timeframe. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. - Retrieve the parent process executable and determine if it is malicious: - Use a private sandboxed malware analysis system to perform analysis. - Observe and collect information about the following activities: - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml index 10664e8dc..27bef0872 100644 --- a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -16,10 +16,58 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Execution via MSSQL xp_cmdshell Stored Procedure" -note = """## Setup +note = """## Triage and analysis + +### Investigating Execution via MSSQL xp_cmdshell Stored Procedure + +Microsoft SQL Server (MSSQL) has procedures meant to extend its functionality, the Extended Stored Procedures. These +procedures are external functions written in C/C++; some provide interfaces for external programs. This is the case for +xp_cmdshell, which spawns a Windows command shell and passes in a string for execution. Attackers can use this to +execute commands on the system running the SQL server, commonly to escalate their privileges and establish persistence. + +The xp_cmdshell procedure is disabled by default, but when used, it has the same security context as the MSSQL Server +service account, which is often privileged. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network +connections. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, +and any spawned child processes. +- Examine the command line to determine if the command executed is potentially harmful or malicious. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. + +### False positive analysis + +- This mechanism can be used legitimately, but it brings inherent risk. The security team must monitor any activity of +it. If recurrent tasks are being executed using this mechanism, consider adding exceptions — preferably with a full +command line. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Ensure that SQL servers are not directly exposed to the internet. If there is a business justification for such, use +an allowlist to allow only connections from known legitimate sources. +- Disable the xp_cmdshell stored procedure. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ +references = ["https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/"] risk_score = 73 rule_id = "4ed493fc-d637-4a36-80ff-ac84937e5461" severity = "high" diff --git a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml index 97e3e5541..3ce3d7c6c 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -43,7 +43,7 @@ for prevalence, whether they are located in expected locations, and if they are - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Use process name, command line, and file hash to search for occurrences in other hosts. diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml index 9895d7712..a914f2236 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml @@ -3,7 +3,7 @@ creation_date = "2021/07/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/20" [rule] author = ["Elastic", "Austin Songer"] @@ -42,7 +42,7 @@ copy objects, and delete them. - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Use process name, command line, and file hash to search for occurrences in other hosts. diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml index 5e1be6a5d..f3ba2d76e 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -42,7 +42,7 @@ This rule monitors the execution of `wmic.exe` to interact with VSS via the `sha - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Use process name, command line, and file hash to search for occurrences in other hosts. diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index 540091cd6..88ee8f16d 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -39,7 +39,7 @@ for prevalence, whether they are located in expected locations, and if they are - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Determine how the script file was delivered (email attachment, dropped by other processes, etc.). diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index eaa36642e..8a2207a81 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -42,7 +42,7 @@ but are not limited to, the Downloads and Document folders and the folder config - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index 7a46b7f98..c89a914e0 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -39,7 +39,7 @@ locations include but are not limited to, the Downloads and Document folders and - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/initial_access_unusual_dns_service_children.toml b/rules/windows/initial_access_unusual_dns_service_children.toml index 21b4927db..0656e96af 100644 --- a/rules/windows/initial_access_unusual_dns_service_children.toml +++ b/rules/windows/initial_access_unusual_dns_service_children.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/16" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -46,8 +46,8 @@ similar remote code execution vulnerability in the DNS server. `regsvr32.exe`, `rundll32.exe`, `wscript.exe`, `wmic.exe`. - If a denial-of-service (DoS) exploit is successful and DNS Server service crashes, be mindful of potential child processes related to `werfault.exe` occurring. -- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file -modifications, and any spawned child processes. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, +and any spawned child processes. - Investigate other alerts associated with the host during the past 48 hours. - Check whether the server is vulnerable to CVE-2020-1350. - Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml index 8a0e3a9f8..a60c4ff39 100644 --- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -33,15 +33,15 @@ port scanners, exploits, and tools used to move laterally on the environment. for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. - Investigate other alerts associated with the user/host during the past 48 hours. - Contact the account owner and confirm whether they are aware of this activity. -- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file -modifications, and any spawned child processes. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, +and any spawned child processes. - Retrieve the process executable and determine if it is malicious: - Use a private sandboxed malware analysis system to perform analysis. - Observe and collect information about the following activities: - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml index ff943aad3..403cbbbe5 100644 --- a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml +++ b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/10" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -37,7 +37,7 @@ for prevalence, whether they are located in expected locations, and if they are - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index 73dbf80de..71a686312 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/16" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -16,6 +16,67 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Remotely Started Services via RPC" +note = """## Triage and analysis + +### Investigating Remotely Started Services via RPC + +The Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service +programs running on a remote computer. A remote service management session begins with the client initiating the +connection request to the server. If the server grants the request, the connection is established. The client can then +make multiple requests to modify, query the configuration, or start and stop services on the server by using the same +session until the session is terminated. + +This rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the +spawn of a child process. + +#### Possible investigation steps + +- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the +`source.address` field to help identify the source system. +- Review network events from the source system using the source port identified on the alert and try to identify the +program used to initiate the action. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, +and any spawned child processes. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate +software installations. +- Retrieve the process executable and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). +""" +references = ["https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f"] risk_score = 47 rule_id = "aa9a274d-6b53-424d-ac5e-cb8ca4251650" severity = "medium" diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index ce4a96110..8b53b0a8b 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ for prevalence, whether they are located in expected locations, and if they are - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml index 51aff5524..ae801b788 100644 --- a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml +++ b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml @@ -3,7 +3,7 @@ creation_date = "2021/03/15" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -39,14 +39,14 @@ installations. - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. ### False positive analysis - There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based -on new software installations, patches, or other network administrator activity. Before entering further investigation, +on new software installations, patches, or other network administrator activity. Before undertaking further investigation, it should be verified that this activity is not benign. ### Related rules diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index e44df75d9..32a161fbe 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -45,7 +45,7 @@ for prevalence, whether they are located in expected locations, and if they are - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/persistence_run_key_and_startup_broad.toml b/rules/windows/persistence_run_key_and_startup_broad.toml index 4b720ed93..4dc139274 100644 --- a/rules/windows/persistence_run_key_and_startup_broad.toml +++ b/rules/windows/persistence_run_key_and_startup_broad.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2022/08/24" +updated_date = "2022/09/20" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -17,6 +17,66 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Startup or Run Key Registry Modification" +note = """## Triage and analysis + +### Investigating Startup or Run Key Registry Modification + +Adversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys +in the registry will cause the program referenced to be executed when a user logs in. These programs will executed +under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring +a range of registry run keys. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate +software installations. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Retrieve the process executable and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be +based on new software installations, patches, or any kind of network administrator related activity. Before undertaking +further investigation, verify that this activity is not benign. + +### Related rules + +- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff +- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0 +- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f +- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). +""" risk_score = 21 rule_id = "97fc44d3-8dae-4019-ae83-298c3015600f" severity = "low" diff --git a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml index b2a085725..85f4569ad 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -39,7 +39,7 @@ software installations. - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml index ec7d806d4..bf657a64a 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/29" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -39,14 +39,14 @@ software installations. - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. ### False positive analysis - There is a high possibility of benign legitimate programs being added to Startup folders. This activity could be based -on new software installations, patches, or any kind of network administrator related activity. Before entering further +on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign. ### Related rules diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index 12d42bfb0..b707dcfe3 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -39,7 +39,7 @@ software installations. - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/persistence_suspicious_com_hijack_registry.toml b/rules/windows/persistence_suspicious_com_hijack_registry.toml index 65a82d75b..7dcc4d5c0 100644 --- a/rules/windows/persistence_suspicious_com_hijack_registry.toml +++ b/rules/windows/persistence_suspicious_com_hijack_registry.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ for prevalence, whether they are located in expected locations, and if they are - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index e12d50884..a0a676138 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/17" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -16,7 +16,61 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Persistence via Update Orchestrator Service Hijack" -note = """## Setup +note = """## Triage and analysis + +### Investigating Persistence via Update Orchestrator Service Hijack + +Windows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are +already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local +system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server +Core products. Fixed by Microsoft on Patch Tuesday June 2020. + +This rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters. +Attackers can leverage this technique to elevate privileges or maintain persistence. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, +and any spawned child processes. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- Retrieve the process executable and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index 77f61da2f..e8c48b5c6 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -3,7 +3,7 @@ creation_date = "2021/08/24" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -18,10 +18,60 @@ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" -name = "Webshell Detection: Script Process Child of Common Web Processes" +name = "Web Shell Detection: Script Process Child of Common Web Processes" note = """## Triage and analysis -Detections should be investigated to identify if the activity corresponds to legitimate activity. As this rule detects post-exploitation process activity, investigations into this should be prioritized. +### Investigating Web Shell Detection: Script Process Child of Common Web Processes + +Adversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a web +script that is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a +network. A web shell may provide a set of functions to execute or a command-line interface on the system that hosts the +web server. + +This rule detects a web server process spawning script and command-line interface programs, potentially indicating +attackers executing commands using the web shell. + +#### Possible investigation steps + +- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file +modifications, and any other spawned child processes. +- Examine the command line to determine which commands or scripts were executed. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. +- If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently +malicious must be monitored by the security team. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). ## Setup diff --git a/rules/windows/privilege_escalation_installertakeover.toml b/rules/windows/privilege_escalation_installertakeover.toml index 23cc6b795..60ff57bba 100644 --- a/rules/windows/privilege_escalation_installertakeover.toml +++ b/rules/windows/privilege_escalation_installertakeover.toml @@ -3,7 +3,7 @@ creation_date = "2021/11/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -40,7 +40,7 @@ for prevalence, whether they are located in expected locations, and if they are - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index bc8be58ee..03c941ac5 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -3,7 +3,7 @@ creation_date = "2020/01/07" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -17,7 +17,56 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Suspicious DLL Loaded for Persistence or Privilege Escalation" -note = """## Setup +note = """## Triage and analysis + +### Investigating Suspicious DLL Loaded for Persistence or Privilege Escalation + +Attackers can execute malicious code by abusing missing modules that processes try to load, enabling them to escalate +privileges or gain persistence. This rule identifies the loading of a non-Microsoft-signed DLL that is missing on a +default Windows installation or one that can be loaded from a different location by a native Windows process. + +#### Possible investigation steps + +- Examine the DLL signature and identify the process that created it. + - Investigate any abnormal behaviors by the process such as network connections, registry or file modifications, and + any spawned child processes. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Retrieve the DLL and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently +malicious must be monitored by the security team. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). + +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml index 7989ea55e..80e477d84 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml @@ -3,22 +3,73 @@ creation_date = "2020/08/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/09/20" [rule] author = ["Elastic"] description = """ Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including -CVE-2020-1048 and CVE-2020-1337. . +CVE-2020-1048 and CVE-2020-1337. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" -name = "Suspicious PrintSpooler SPL File Created" -note = """## Threat intel +name = "Suspicious Print Spooler SPL File Created" +note = """## Triage and analysis -Refer to CVEs, CVE-2020-1048 and CVE-2020-1337 for further information on the vulnerability and exploit. Verify that the relevant system is patched. +### Investigating Suspicious Print Spooler SPL File Created + +Print Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs +by loading printer drivers, receiving files to be printed, queuing them, scheduling, etc. + +The Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like +CVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location +`?:\\Windows\\System32\\spool\\PRINTERS\\`, which is an essential step in exploiting these vulnerabilities. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files +for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, +and any spawned child processes. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. +- Retrieve the process executable and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled task creation. + - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. + - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination +of process executable and file conditions. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that + attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and +malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are +identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business +systems, and web services. +- Ensure that the machine has the latest security updates and is not running legacy Windows versions. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the +mean time to respond (MTTR). ## Setup diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index 14cd87ab1..9b54d52bc 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/17" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -38,16 +38,16 @@ UAC prompt being displayed to the user. This rule detects this UAC bypass by mon - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. - Investigate other alerts associated with the user/host during the past 48 hours. -- Inspect the host for suspicious or abnormal behaviors in the alert timeframe. -- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file -modifications, and any spawned child processes. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, +and any spawned child processes. - Retrieve the process executable and determine if it is malicious: - Use a private sandboxed malware analysis system to perform analysis. - Observe and collect information about the following activities: - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index e3eb9578f..b3a039b19 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/26" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -35,16 +35,16 @@ directory. Attackers may bypass UAC to stealthily execute code with elevated per - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. - Investigate other alerts associated with the user/host during the past 48 hours. -- Inspect the host for suspicious or abnormal behaviors in the alert timeframe. -- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file -modifications, and any spawned child processes. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, +and any spawned child processes. - If any of the spawned processes are suspicious, retrieve them and determine if it is malicious: - Use a private sandboxed malware analysis system to perform analysis. - Observe and collect information about the following activities: - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index b2d76900b..aa6ac072e 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -35,16 +35,16 @@ Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with e - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. - Investigate other alerts associated with the user/host during the past 48 hours. -- Inspect the host for suspicious or abnormal behaviors in the alert timeframe. -- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file -modifications, and any spawned child processes. +- Inspect the host for suspicious or abnormal behavior in the alert timeframe. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, +and any spawned child processes. - If any of the spawned processes are suspicious, retrieve them and determine if it is malicious: - Use a private sandboxed malware analysis system to perform analysis. - Observe and collect information about the following activities: - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index 37b9021d5..e23417c77 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/09/20" [rule] author = ["Elastic"] @@ -31,15 +31,15 @@ This rule uses this information to spot suspicious parent and child processes. - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. - Investigate other alerts associated with the user/host during the past 48 hours. -- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file -modifications, and any spawned child processes. +- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, +and any spawned child processes. - Retrieve the process executable and determine if it is malicious: - Use a private sandboxed malware analysis system to perform analysis. - Observe and collect information about the following activities: - Attempts to contact external domains and addresses. - File and registry access, modification, and creation activities. - Service creation and launch activities. - - Scheduled tasks creation. + - Scheduled task creation. - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values. - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.