900a8cdbe9
[New Rule] Suspicious LSASS Access via MalSecLogon ( #2063 )
...
* [New Rule]
Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access rights value, this may indicate an attempt to leak an Lsass handle via abusing the Secondary Logon service in preparation for credential access.
https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html
Data:
```
{
"_index": ".ds-logs-windows.sysmon_operational-default-2022.06.16-000005",
"_id": "QxU4rIEBTJjT82fLq8Cf",
"_score": 1,
"_source": {
"agent": {
"name": "02694w-win10",
"id": "85e87161-ea22-4847-a978-fb4ed45ebf0e",
"type": "filebeat",
"ephemeral_id": "137d194a-e542-4cd6-a1e3-f4ca9f5ad6b8",
"version": "8.0.0"
},
"process": {
"name": "svchost.exe",
"pid": 456,
"thread": {
"id": 15264
},
"entity_id": "{6a3c3ef2-3646-62ab-1300-00000000d300}",
"executable": "C:\\WINDOWS\\system32\\svchost.exe"
},
"winlog": {
"computer_name": "02694w-win10.threebeesco.com",
"process": {
"pid": 2680,
"thread": {
"id": 3988
}
},
"channel": "Microsoft-Windows-Sysmon/Operational",
"event_data": {
"GrantedAccess": "0x14c0",
"TargetProcessId": "680",
"SourceUser": "NT AUTHORITY\\SYSTEM",
"TargetImage": "C:\\WINDOWS\\system32\\lsass.exe",
"CallTrace": "C:\\WINDOWS\\SYSTEM32\\ntdll.dll+9c534|C:\\WINDOWS\\System32\\KERNELBASE.dll+2726e|c:\\windows\\system32\\seclogon.dll+128f|c:\\windows\\system32\\seclogon.dll+10a0|C:\\WINDOWS\\System32\\RPCRT4.dll+76953|C:\\WINDOWS\\System32\\RPCRT4.dll+da036|C:\\WINDOWS\\System32\\RPCRT4.dll+37a4c|C:\\WINDOWS\\System32\\RPCRT4.dll+548c8|C:\\WINDOWS\\System32\\RPCRT4.dll+2c921|C:\\WINDOWS\\System32\\RPCRT4.dll+2c1db|C:\\WINDOWS\\System32\\RPCRT4.dll+1a86f|C:\\WINDOWS\\System32\\RPCRT4.dll+19d1a|C:\\WINDOWS\\System32\\RPCRT4.dll+19301|C:\\WINDOWS\\System32\\RPCRT4.dll+18d6e|C:\\WINDOWS\\System32\\RPCRT4.dll+169a5|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+333ed|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+34142|C:\\WINDOWS\\System32\\KERNEL32.DLL+17bd4|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+6ce51",
"TargetProcessGUID": "{6a3c3ef2-3646-62ab-0c00-00000000d300}",
"TargetUser": "NT AUTHORITY\\SYSTEM"
},
"opcode": "Info",
"version": 3,
"record_id": "1825496",
"task": "Process accessed (rule: ProcessAccess)",
"event_id": "10",
"provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"api": "wineventlog",
"provider_name": "Microsoft-Windows-Sysmon",
"user": {
"identifier": "S-1-5-18",
"domain": "NT AUTHORITY",
"name": "SYSTEM",
"type": "User"
}
},
"log": {
"level": "information"
},
"elastic_agent": {
"id": "85e87161-ea22-4847-a978-fb4ed45ebf0e",
"version": "8.0.0",
"snapshot": false
},
"message": "Process accessed:\nRuleName: -\nUtcTime: 2022-06-28 21:29:49.829\nSourceProcessGUID: {6a3c3ef2-3646-62ab-1300-00000000d300}\nSourceProcessId: 456\nSourceThreadId: 15264\nSourceImage: C:\\WINDOWS\\system32\\svchost.exe\nTargetProcessGUID: {6a3c3ef2-3646-62ab-0c00-00000000d300}\nTargetProcessId: 680\nTargetImage: C:\\WINDOWS\\system32\\lsass.exe\nGrantedAccess: 0x14C0\nCallTrace: C:\\WINDOWS\\SYSTEM32\\ntdll.dll+9c534|C:\\WINDOWS\\System32\\KERNELBASE.dll+2726e|c:\\windows\\system32\\seclogon.dll+128f|c:\\windows\\system32\\seclogon.dll+10a0|C:\\WINDOWS\\System32\\RPCRT4.dll+76953|C:\\WINDOWS\\System32\\RPCRT4.dll+da036|C:\\WINDOWS\\System32\\RPCRT4.dll+37a4c|C:\\WINDOWS\\System32\\RPCRT4.dll+548c8|C:\\WINDOWS\\System32\\RPCRT4.dll+2c921|C:\\WINDOWS\\System32\\RPCRT4.dll+2c1db|C:\\WINDOWS\\System32\\RPCRT4.dll+1a86f|C:\\WINDOWS\\System32\\RPCRT4.dll+19d1a|C:\\WINDOWS\\System32\\RPCRT4.dll+19301|C:\\WINDOWS\\System32\\RPCRT4.dll+18d6e|C:\\WINDOWS\\System32\\RPCRT4.dll+169a5|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+333ed|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+34142|C:\\WINDOWS\\System32\\KERNEL32.DLL+17bd4|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+6ce51\nSourceUser: NT AUTHORITY\\SYSTEM\nTargetUser: NT AUTHORITY\\SYSTEM",
"input": {
"type": "winlog"
},
"@timestamp": "2022-06-28T21:29:49.829Z",
"ecs": {
"version": "1.12.0"
},
"data_stream": {
"namespace": "default",
"type": "logs",
"dataset": "windows.sysmon_operational"
},
"host": {
"hostname": "02694w-win10",
"os": {
"build": "18363.815",
"kernel": "10.0.18362.815 (WinBuild.160101.0800)",
"name": "Windows 10 Enterprise",
"type": "windows",
"family": "windows",
"version": "10.0",
"platform": "windows"
},
"ip": [
"fe80::7587:a5c1:5a7b:68f6",
"172.16.66.25"
],
"name": "02694w-win10.threebeesco.com",
"id": "6a3c3ef2-208f-4d6f-90ee-b34f4e3fd160",
"mac": [
"00:50:56:03:c6:93"
],
"architecture": "x86_64"
},
"event": {
"agent_id_status": "verified",
"ingested": "2022-06-28T21:30:04Z",
"code": "10",
"provider": "Microsoft-Windows-Sysmon",
"created": "2022-06-28T21:29:51.107Z",
"kind": "event",
"action": "Process accessed (rule: ProcessAccess)",
"category": [
"process"
],
"type": [
"access"
],
"dataset": "windows.sysmon_operational"
},
"user": {
"id": "S-1-5-18"
}
},
"fields": {
"elastic_agent.version": [
"8.0.0"
],
"event.category": [
"process"
],
"host.os.name.text": [
"Windows 10 Enterprise"
],
"winlog.provider_guid": [
"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"
],
"winlog.provider_name": [
"Microsoft-Windows-Sysmon"
],
"host.hostname": [
"02694w-win10"
],
"winlog.computer_name": [
"02694w-win10.threebeesco.com"
],
"process.pid": [
456
],
"host.mac": [
"00:50:56:03:c6:93"
],
"winlog.process.pid": [
2680
],
"host.os.version": [
"10.0"
],
"winlog.record_id": [
"1825496"
],
"winlog.event_data.TargetUser": [
"NT AUTHORITY\\SYSTEM"
],
"host.os.name": [
"Windows 10 Enterprise"
],
"log.level": [
"information"
],
"agent.name": [
"02694w-win10"
],
"host.name": [
"02694w-win10.threebeesco.com"
],
"event.agent_id_status": [
"verified"
],
"event.kind": [
"event"
],
"winlog.version": [
3
],
"host.os.type": [
"windows"
],
"user.id": [
"S-1-5-18"
],
"input.type": [
"winlog"
],
"data_stream.type": [
"logs"
],
"host.architecture": [
"x86_64"
],
"process.name": [
"svchost.exe"
],
"event.provider": [
"Microsoft-Windows-Sysmon"
],
"event.code": [
"10"
],
"agent.id": [
"85e87161-ea22-4847-a978-fb4ed45ebf0e"
],
"ecs.version": [
"1.12.0"
],
"event.created": [
"2022-06-28T21:29:51.107Z"
],
"winlog.event_data.CallTrace": [
"C:\\WINDOWS\\SYSTEM32\\ntdll.dll+9c534|C:\\WINDOWS\\System32\\KERNELBASE.dll+2726e|c:\\windows\\system32\\seclogon.dll+128f|c:\\windows\\system32\\seclogon.dll+10a0|C:\\WINDOWS\\System32\\RPCRT4.dll+76953|C:\\WINDOWS\\System32\\RPCRT4.dll+da036|C:\\WINDOWS\\System32\\RPCRT4.dll+37a4c|C:\\WINDOWS\\System32\\RPCRT4.dll+548c8|C:\\WINDOWS\\System32\\RPCRT4.dll+2c921|C:\\WINDOWS\\System32\\RPCRT4.dll+2c1db|C:\\WINDOWS\\System32\\RPCRT4.dll+1a86f|C:\\WINDOWS\\System32\\RPCRT4.dll+19d1a|C:\\WINDOWS\\System32\\RPCRT4.dll+19301|C:\\WINDOWS\\System32\\RPCRT4.dll+18d6e|C:\\WINDOWS\\System32\\RPCRT4.dll+169a5|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+333ed|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+34142|C:\\WINDOWS\\System32\\KERNEL32.DLL+17bd4|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+6ce51"
],
"agent.version": [
"8.0.0"
],
"host.os.family": [
"windows"
],
"process.thread.id": [
15264
],
"winlog.event_data.TargetProcessGUID": [
"{6a3c3ef2-3646-62ab-0c00-00000000d300}"
],
"winlog.process.thread.id": [
3988
],
"winlog.event_data.TargetImage": [
"C:\\WINDOWS\\system32\\lsass.exe"
],
"winlog.event_data.TargetProcessId": [
"680"
],
"process.entity_id": [
"{6a3c3ef2-3646-62ab-1300-00000000d300}"
],
"host.os.build": [
"18363.815"
],
"winlog.user.type": [
"User"
],
"host.ip": [
"fe80::7587:a5c1:5a7b:68f6",
"172.16.66.25"
],
"agent.type": [
"filebeat"
],
"event.module": [
"windows"
],
"host.os.kernel": [
"10.0.18362.815 (WinBuild.160101.0800)"
],
"winlog.api": [
"wineventlog"
],
"elastic_agent.snapshot": [
false
],
"host.id": [
"6a3c3ef2-208f-4d6f-90ee-b34f4e3fd160"
],
"process.executable": [
"C:\\WINDOWS\\system32\\svchost.exe"
],
"winlog.user.identifier": [
"S-1-5-18"
],
"winlog.event_data.SourceUser": [
"NT AUTHORITY\\SYSTEM"
],
"winlog.task": [
"Process accessed (rule: ProcessAccess)"
],
"winlog.user.domain": [
"NT AUTHORITY"
],
"elastic_agent.id": [
"85e87161-ea22-4847-a978-fb4ed45ebf0e"
],
"data_stream.namespace": [
"default"
],
"winlog.event_data.GrantedAccess": [
"0x14c0"
],
"message": [
"Process accessed:\nRuleName: -\nUtcTime: 2022-06-28 21:29:49.829\nSourceProcessGUID: {6a3c3ef2-3646-62ab-1300-00000000d300}\nSourceProcessId: 456\nSourceThreadId: 15264\nSourceImage: C:\\WINDOWS\\system32\\svchost.exe\nTargetProcessGUID: {6a3c3ef2-3646-62ab-0c00-00000000d300}\nTargetProcessId: 680\nTargetImage: C:\\WINDOWS\\system32\\lsass.exe\nGrantedAccess: 0x14C0\nCallTrace: C:\\WINDOWS\\SYSTEM32\\ntdll.dll+9c534|C:\\WINDOWS\\System32\\KERNELBASE.dll+2726e|c:\\windows\\system32\\seclogon.dll+128f|c:\\windows\\system32\\seclogon.dll+10a0|C:\\WINDOWS\\System32\\RPCRT4.dll+76953|C:\\WINDOWS\\System32\\RPCRT4.dll+da036|C:\\WINDOWS\\System32\\RPCRT4.dll+37a4c|C:\\WINDOWS\\System32\\RPCRT4.dll+548c8|C:\\WINDOWS\\System32\\RPCRT4.dll+2c921|C:\\WINDOWS\\System32\\RPCRT4.dll+2c1db|C:\\WINDOWS\\System32\\RPCRT4.dll+1a86f|C:\\WINDOWS\\System32\\RPCRT4.dll+19d1a|C:\\WINDOWS\\System32\\RPCRT4.dll+19301|C:\\WINDOWS\\System32\\RPCRT4.dll+18d6e|C:\\WINDOWS\\System32\\RPCRT4.dll+169a5|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+333ed|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+34142|C:\\WINDOWS\\System32\\KERNEL32.DLL+17bd4|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+6ce51\nSourceUser: NT AUTHORITY\\SYSTEM\nTargetUser: NT AUTHORITY\\SYSTEM"
],
"winlog.user.name": [
"SYSTEM"
],
"winlog.event_id": [
"10"
],
"event.ingested": [
"2022-06-28T21:30:04.000Z"
],
"event.action": [
"Process accessed (rule: ProcessAccess)"
],
"@timestamp": [
"2022-06-28T21:29:49.829Z"
],
"winlog.channel": [
"Microsoft-Windows-Sysmon/Operational"
],
"host.os.platform": [
"windows"
],
"data_stream.dataset": [
"windows.sysmon_operational"
],
"event.type": [
"access"
],
"winlog.opcode": [
"Info"
],
"agent.ephemeral_id": [
"137d194a-e542-4cd6-a1e3-f4ca9f5ad6b8"
],
"event.dataset": [
"windows.sysmon_operational"
]
}
}
```
* Update rules/windows/credential_access_lsass_handle_via_malseclogon.toml
* Update rules/windows/credential_access_lsass_handle_via_malseclogon.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 59736e3973
2022-07-20 14:31:31 +00:00
c010acb175
[Rule Tuning] Elastic Agent Service Terminated ( #2112 )
...
(cherry picked from commit 1276f98a70
2022-07-19 16:35:18 +00:00
9951ee66e5
2058 add setup field to metadata ( #2061 )
...
* Convert config header to setup in note field
* Parse note field into separate setup and note field with marko gfm
* only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
2022-07-19 09:36:52 -04:00
ec17d0b54d
2058 add setup field to metadata ( #2061 )
...
* Convert config header to setup in note field
* Parse note field into separate setup and note field with marko gfm
* only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
2022-07-18 20:15:19 -04:00
62298d92f4
2058 add setup field to metadata ( #2061 )
...
* Convert config header to setup in note field
* Parse note field into separate setup and note field with marko gfm
* only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Removed changes from:
- rules/cross-platform/impact_hosts_file_modified.toml
- rules/integrations/google_workspace/application_added_to_google_workspace_domain.toml
- rules/integrations/google_workspace/domain_added_to_google_workspace_trusted_domains.toml
- rules/integrations/google_workspace/google_workspace_admin_role_deletion.toml
- rules/integrations/google_workspace/google_workspace_mfa_enforcement_disabled.toml
- rules/integrations/google_workspace/google_workspace_policy_modified.toml
- rules/integrations/google_workspace/mfa_disabled_for_google_workspace_organization.toml
- rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml
- rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml
- rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml
- rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml
- rules/integrations/kubernetes/execution_user_exec_to_pod.toml
- rules/windows/credential_access_lsass_memdump_file_created.toml
- rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
- rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
- rules/windows/defense_evasion_suspicious_certutil_commands.toml
- rules/windows/execution_command_shell_started_by_svchost.toml
(selectively cherry picked from commit a52751494e
2022-07-18 21:25:32 +00:00
c2bcfc575f
[New Rule] Elastic Agent Stopped ( #1991 )
...
* new rule for detecting if elastic agent has been stopped
* adjusted query based on feedback; added powershell, taskkill, pskill and processhacker
2022-07-18 17:15:01 -04:00
4235b5d798
[New Rule] Dynamic Linker Copy ( #2099 )
...
* [New Rule] Dynamic Linker Copy
* Update rules/linux/persistence_dynamic_linker_backup.toml
* Update rules/linux/persistence_dynamic_linker_backup.toml
* Update rules/linux/persistence_dynamic_linker_backup.toml
(cherry picked from commit 9995558b2a
2022-07-13 15:18:44 +00:00
4913be81e0
[New Rule] Tc BPF Filter ( #2091 )
...
* tc bpf filter
* Update rules/linux/execution_tc_bpf_filter.toml
(cherry picked from commit 58ad0823ca
2022-07-13 14:42:49 +00:00
d8ee4473a2
[Security Content] 8.4 - Add Investigation Guides ( #2069 )
...
* [Security Content] 8.4 - Add Investigation Guides
* Apply suggestions from code review
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
* Update rules/windows/credential_access_cmdline_dump_tool.toml
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
* Apply suggestions from code review
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/windows/credential_access_credential_dumping_msbuild.toml
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
Removed changes from:
- rules/windows/execution_command_shell_started_by_svchost.toml
(selectively cherry picked from commit 3a8efc8183
2022-07-13 14:29:48 +00:00
3e73a3c60a
[New Rule] Insmod kernel module load ( #2093 )
...
* insmod kernel module load
* Update rules/linux/persistence_insmod_kernel_module_load.toml
* Update rules/linux/persistence_insmod_kernel_module_load.toml
(cherry picked from commit d7d0466344
2022-07-13 14:23:29 +00:00
e241df5d76
[Rule Tuning] Potential Reverse Shell Activity via Terminal ( #2077 )
...
* adjusted query rule to exclude noisy FPs
* adjusted event.action to be event.type
(cherry picked from commit 7581234fe8
2022-07-13 02:34:43 +00:00
de2a90090c
[New Rule] Domain Trust Enumeration via Nltest ( #2010 )
...
* adding detection rule
* removed changes from unrelated rule
* adjusted threat technique
* Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
* Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 329530c8c3
2022-07-05 14:49:39 +00:00
8011420e71
Update discovery_privileged_localgroup_membership.toml ( #2046 )
...
(cherry picked from commit 853f8db8d0
2022-06-30 17:27:15 +00:00
69237c4ed2
[Rule tuning] existing strace activity rule. ( #2028 )
...
* Update description and MITTRE Attack details
(cherry picked from commit 2ee23bd80f
2022-06-16 11:49:16 +00:00
0973ac07ef
Update discovery_remote_system_discovery_commands_windows.toml ( #2033 )
...
(cherry picked from commit c8ff1dc9cb
2022-06-14 13:52:02 +00:00
57194b8e59
[Rule Tuning] M365 - Remove event.outcome condition from Auth Events ( #2004 )
...
* Remove event.outcome condition
* Update credential_access_microsoft_365_brute_force_user_account_attempt.toml
* Revert "Update credential_access_microsoft_365_brute_force_user_account_attempt.toml"
This reverts commit c7e7c976174a62e6b50139291e8f7f1a34e7beab.
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 3aa53fc6c5
2022-06-03 17:24:48 +00:00
835b342a43
Update persistence_sdprop_exclusion_dsheuristics.toml ( #2017 )
...
(cherry picked from commit b6631f200e
2022-06-03 17:22:33 +00:00
a51d251e05
Adds logs-system.* index pattern ( #2016 )
...
(cherry picked from commit f857e009c5
2022-06-03 16:57:26 +00:00
b12d1cb978
[Rule Tuning] Add MITRE Details to exisisting hpining activity rule. ( #2012 )
...
* Add MITRE Details to existing hping activity rule.
(cherry picked from commit f02325fe2f
2022-06-02 05:08:23 +00:00
821e04aaf8
Linux binary(s) ftp shell evasion threat ( #2007 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 98a85ddcee
2022-06-01 16:40:06 +00:00
29cf0c8f77
[New Rule] Suspicious Microsoft Diagnostics Wizard Execution ( #2005 )
...
* [New Rule] Suspicious Microsoft Diagnostics Wizard Execution
https://lolbas-project.github.io/lolbas/Binaries/Msdt/
https://twitter.com/nao_sec/status/1530196847679401984
* Update rules/windows/defense_evasion_proxy_execution_via_msdt.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit d6e96a83d5
2022-06-01 15:04:54 +00:00
1484c20795
[Security Content] 8.3 Add Investigation Guides - 3 ( #1990 )
...
* [Security Content] 8.3 Add Investigation Guides - 3
* bump date
* Apply suggestions from code review
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
(cherry picked from commit 27f5c2e695
2022-05-31 15:59:13 +00:00
d575fd4b3c
[Security Content] 8.3 - Add Investigation Guides 2 ( #1989 )
...
* [Security Content] 8.3 - Add Investigation Guides 2 - Initial Commit
* .
* Add Related rules
* Apply suggestions from code review
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
* .
* .
* Apply suggestions from code review
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
(cherry picked from commit e5d3c6329c
2022-05-31 15:56:50 +00:00
10c2d9de3d
[Rule Tuning] Suspicious MS Office Child Process ( #2003 )
...
added msdt.exe as a response to this in the wild 0day (works without vba and on latest office) ->
https://twitter.com/nao_sec/status/1530196847679401984
https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection
(cherry picked from commit bfea11c99f
2022-05-31 12:23:08 +00:00
1d69a2bbae
[Promote Rule] Potential Invoke-Mimikatz PowerShell Script ( #1993 )
...
* Update credential_access_mimikatz_powershell_module.toml
* Update credential_access_mimikatz_powershell_module.toml
* Update credential_access_mimikatz_powershell_module.toml
* Update credential_access_mimikatz_powershell_module.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 1f8813d02f
2022-05-25 20:04:28 +00:00
75f8928d1f
[Rule tuning] Linux binary(s) shell evasion threat
...
* Linux binary(s) git shell evasion threat
(cherry picked from commit fd7a6d63b0
2022-05-25 13:53:22 +00:00
44046642e7
[Rule tuning] Linux binary(s) shell evasion threat ( #1957 )
...
* Linux binary(s) shell evasion threat
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 51b2d9da4b
2022-05-25 03:04:53 +00:00
c5e3312727
[Rule tuning] Whitespace Padding in Process Command Line ( #1967 )
...
* [Rule tuning] Whitespace Padding in Process Command Line
* bump updated_date
* update comment
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 72c186b30b
2022-05-23 19:35:44 +00:00
0796082300
[Rule tuning] Unusual Process Execution - Temp ( #1968 )
...
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 1840a638c8
2022-05-23 15:06:55 +00:00
e57cf31867
Modifying rules assoc w/ deprecation of v2 ML jobs ( #1846 )
...
* modifying rules assoc w/ deprecation of v2 ML jobs
* modified updated_date field
* fixed machine_learning_job_id and added min_stack_version
* replacing rest of deprecated jobs with new naming convention
* Update ml_suspicious_login_activity.toml
* removing rules assoc w/ deprecated ML jobs
* Update rules/ml/ml_linux_anomalous_compiler_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/ml/ml_linux_anomalous_compiler_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* updated ml job rules to reflect 8.3 changes
* updating min_stack_version for ml detection rules
Co-authored-by: Craig Chamberlain <randomuserid@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Apoorva Joshi <30438249+ajosh0504@users.noreply.github.com >
Removed changes from:
- rules/ml/ml_linux_anomalous_compiler_activity.toml
- rules/ml/ml_linux_anomalous_metadata_process.toml
- rules/ml/ml_linux_anomalous_metadata_user.toml
- rules/ml/ml_linux_anomalous_network_activity.toml
- rules/ml/ml_linux_anomalous_network_port_activity.toml
- rules/ml/ml_linux_anomalous_process_all_hosts.toml
- rules/ml/ml_linux_anomalous_sudo_activity.toml
- rules/ml/ml_linux_anomalous_user_name.toml
- rules/ml/ml_linux_system_information_discovery.toml
- rules/ml/ml_linux_system_network_configuration_discovery.toml
- rules/ml/ml_linux_system_network_connection_discovery.toml
- rules/ml/ml_linux_system_process_discovery.toml
- rules/ml/ml_linux_system_user_discovery.toml
- rules/ml/ml_rare_process_by_host_linux.toml
- rules/ml/ml_rare_process_by_host_windows.toml
- rules/ml/ml_suspicious_login_activity.toml
- rules/ml/ml_windows_anomalous_metadata_process.toml
- rules/ml/ml_windows_anomalous_metadata_user.toml
- rules/ml/ml_windows_anomalous_network_activity.toml
- rules/ml/ml_windows_anomalous_path_activity.toml
- rules/ml/ml_windows_anomalous_process_all_hosts.toml
- rules/ml/ml_windows_anomalous_process_creation.toml
- rules/ml/ml_windows_anomalous_script.toml
- rules/ml/ml_windows_anomalous_service.toml
- rules/ml/ml_windows_anomalous_user_name.toml
- rules/ml/ml_windows_rare_user_runas_event.toml
- rules/ml/ml_windows_rare_user_type10_remote_login.toml
(selectively cherry picked from commit 9a739b7e4c
2022-05-20 20:04:28 +00:00
a2dbfff31b
[Rule tuning] add support for osx, zsh, and expand tampering techniques ( #1974 )
...
* add support for osx, zsh, and expand tampering techniques
* migrate to cross-platform and add macOS tag
(cherry picked from commit 77966473d1
2022-05-20 15:12:56 +00:00
18277206f8
[Security Content] 8.3 - Add Investigation Guides ( #1937 )
...
* 8.3 - Add Investigation Guides
* Apply suggestions
* Apply the refactor
* Apply suggestions from Samir
* .
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit a1bdf2b564
2022-05-19 16:25:46 +00:00
128053a93e
[Rule tuning] check for anything found in the emondClient directory ( #1977 )
...
* check for anything found in the emondClient directory and add reference
(cherry picked from commit 92640f517a
2022-05-18 16:35:25 +00:00
7c90f1d4c4
[Security Content] Refactor Existing Investigation Guides ( #1959 )
...
* Initial commit
* Update Investigation guides - security-docs review
* Update command_and_control_dns_tunneling_nslookup.toml
* Update defense_evasion_amsienable_key_mod.toml
* Apply security-docs review
* Remove dot
* Update rules/windows/command_and_control_rdp_tunnel_plink.toml
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Apply changes from review
* Apply the suggestion
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
(cherry picked from commit 817b97f428
2022-05-18 16:01:50 +00:00
4817bf26c8
[Rule Tuning] Update Rule Name: Suspicious Network Connection Attempt Sequence by Root ( #1983 )
...
* [Rule Tuning] Update Rule Name
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
(cherry picked from commit d12f45c6ba
2022-05-17 22:43:06 +00:00
a440d87f67
[New Rule] Suspicious Outbound Network Connect Sequence by Root ( #1975 )
...
* adding initial rule
* adjusted UUID
* removed event.ingested as query is a sequence
* changed file name to match mitre ATT&CK tactic
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* TOML linted
* Update command_and_control_connection_attempt_by_non_ssh_root_session.toml
Just edited a couple grammar things. Looks good
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* added additional tactic for privilege escalation and linted
* formatted query to be more readable
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit c89f423961
2022-05-16 21:24:34 +00:00
f223e63030
Update command_and_control_common_webservices.toml ( #1970 )
...
(cherry picked from commit 27e6632ecd
2022-05-16 17:06:24 +00:00
c7d1ea428c
[New Rule] Abnormal Process ID File Creation ( #1964 )
...
* adding rule detection
* changed Rule ID
* Update rules/linux/execution_abnormal_process_id_file_created.toml
Adding reboot extension as well.
Reference: https://exatrack.com/public/Tricephalic_Hellkeeper.pdf
* Update rules/linux/execution_abnormal_process_id_file_created.toml
Adding reboot to description.
Reference: https://exatrack.com/public/Tricephalic_Hellkeeper.pdf
* Update rules/linux/execution_abnormal_process_id_file_created.toml
Added additional reference to similar threat.
* Update rules/linux/execution_abnormal_process_id_file_created.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_abnormal_process_id_file_created.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* added rule for a process starting where the executable's name represented a PID file
* Adjusted user.id value from integer to string
* Added simple investigation notes and osquery coverage
* TOML linting
* Updated date to reflect recent changes
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 1704924f7b
2022-05-12 14:40:34 +00:00
ca7a148f5a
[New rule] Remote Computer Account DnsHostName Update ( #1962 )
...
* [New rule] Remote Computer Account DnsHostName Update
Identifies remote update to a computer account DnsHostName attribute, if the new value is set a valid domain controller DNS hostname and the subject computer name is not a domain controller then it's high likely a preparation step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin privileges :
* added MS ref url
* Update rules/windows/privilege_escalation_suspicious_dnshostname_update.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/privilege_escalation_suspicious_dnshostname_update.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 19ff825a91
2022-05-11 17:42:44 +00:00
b5f473a444
[New Rule] Executable Launched from Shared Memory Directory ( #1961 )
...
* new rule to check for executables launched from shared memory directory
* added references and false positive instances
* Update rules/linux/execution_shared_memory_executable.toml
* Update rules/linux/execution_shared_memory_executable.toml
* Update rules/linux/execution_shared_memory_executable.toml
* adjusted process to account for var run and lock directories
* TOML lint and query formatting
* TOML lint and query formatting
* Update rules/linux/execution_process_started_in_shared_memory_directory.toml
* Update rules/linux/execution_process_started_in_shared_memory_directory.toml
* Update rules/linux/execution_process_started_in_shared_memory_directory.toml
* Update rules/linux/execution_process_started_in_shared_memory_directory.toml
* added BPFDoor tag to be threat specific
* TOML linting and adjusted risk because of root requirement
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 5f447a63a2
2022-05-11 16:22:41 +00:00
6e9faf3c2a
[Rule tuning] SSH Authorized Keys File Modification ( #1955 )
...
(cherry picked from commit c031bb501d
2022-05-09 15:52:33 +00:00
36413ad8b2
[New Rule] Potential Local NTLM Relay via HTTP ( #1947 )
...
* [New Rule] Potential Local NTLM Relay via HTTP
Detect attempt to elevate privileges via coercing a privileged service to connect to a local rogue HTTP endpoint, leading to NTLM relay, example of logs while testing https://github.com/med0x2e/NTLMRelay2Self (step 5):
* Update credential_access_relay_ntlm_auth_via_http_spoolss.toml
* Update credential_access_relay_ntlm_auth_via_http_spoolss.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 03836d45fa
2022-05-06 19:09:27 +00:00
5769a21867
[Rule Tuning] Update Rule Content Changes from Security Docs Team ( #1945 )
...
* updated content to reflect changes from Security Docs team
* Update rules/linux/execution_flock_binary.toml
* Update rules/linux/execution_expect_binary.toml
* TOML linting
* added escape for crdential_access_spn_attribute_modified.toml
(cherry picked from commit e9f5585a9f
2022-05-06 17:23:22 +00:00
6a6d49a362
[New Rule] Service Creation via Local Kerberos Authentication ( #1941 )
...
* [New Rule] Suspicious Service Creation via Local Kerberos Relay over LDAP
This rule will catch also the suspicious service that was created leveraging the imported kerberos ticket https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82 which makes triage easier :
DATA :
```
"sequences" : [
{
"join_keys" : [
"6a3c3ef2-208f-4d6f-90ee-b34f4e3fd160",
"0xefac5f"
],
"events" : [
{
"_index" : ".ds-logs-system.security-default-2022.04.12-000003",
"_id" : "XAy1YoABQhClK0XGpqaL",
"_source" : {
"agent" : {
"name" : "02694w-win10",
"id" : "77a829ec-a564-44d5-9bc4-61eeefbf783a",
"type" : "filebeat",
"ephemeral_id" : "6c751494-97a3-46aa-bab2-5baf01d17d04",
"version" : "8.0.0"
},
"process" : {
"name" : "-",
"pid" : 0,
"executable" : "-"
},
"winlog" : {
"computer_name" : "02694w-win10.threebeesco.com",
"process" : {
"pid" : 688,
"thread" : {
"id" : 5160
}
},
"keywords" : [
"Audit Success"
],
"logon" : {
"id" : "0x0",
"type" : "Network"
},
"channel" : "Security",
"event_data" : {
"LogonGuid" : "{82d3503b-9dac-ab6d-b045-8877b5aab051}",
"TargetOutboundDomainName" : "-",
"VirtualAccount" : "%%1843",
"LogonType" : "3",
"TransmittedServices" : "-",
"SubjectLogonId" : "0x0",
"LmPackageName" : "-",
"TargetOutboundUserName" : "-",
"KeyLength" : "0",
"RestrictedAdminMode" : "-",
"TargetLogonId" : "0xefac5f",
"SubjectUserName" : "-",
"TargetLinkedLogonId" : "0x0",
"ElevatedToken" : "%%1842",
"SubjectDomainName" : "-",
"ImpersonationLevel" : "%%1833",
"TargetUserName" : "Administrator",
"TargetDomainName" : "THREEBEESCO.COM",
"LogonProcessName" : "Kerberos",
"SubjectUserSid" : "S-1-0-0",
"TargetUserSid" : "S-1-5-21-308926384-506822093-3341789130-500",
"AuthenticationPackageName" : "Kerberos"
},
"opcode" : "Info",
"version" : 2,
"record_id" : "59330",
"task" : "Logon",
"event_id" : "4624",
"provider_guid" : "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"activity_id" : "{e22af019-58dd-0002-43f0-2ae2dd58d801}",
"api" : "wineventlog",
"provider_name" : "Microsoft-Windows-Security-Auditing"
},
"log" : {
"level" : "information"
},
"elastic_agent" : {
"id" : "77a829ec-a564-44d5-9bc4-61eeefbf783a",
"version" : "8.0.0",
"snapshot" : false
},
"source" : {
"port" : 50494,
"ip" : "127.0.0.1",
"domain" : "-"
},
"message" : """An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-308926384-506822093-3341789130-500
Account Name: Administrator
Account Domain: THREEBEESCO.COM
Logon ID: 0xEFAC5F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {82d3503b-9dac-ab6d-b045-8877b5aab051}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 127.0.0.1
Source Port: 50494
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""",
"input" : {
"type" : "winlog"
},
"@timestamp" : "2022-04-25T21:09:04.559Z",
"ecs" : {
"version" : "1.12.0"
},
"related" : {
"ip" : [
"127.0.0.1"
],
"user" : [
"Administrator"
]
},
"data_stream" : {
"namespace" : "default",
"type" : "logs",
"dataset" : "system.security"
},
"host" : {
"hostname" : "02694w-win10",
"os" : {
"build" : "18363.815",
"kernel" : "10.0.18362.815 (WinBuild.160101.0800)",
"name" : "Windows 10 Enterprise",
"family" : "windows",
"type" : "windows",
"version" : "10.0",
"platform" : "windows"
},
"ip" : [
"fe80::7587:a5c1:5a7b:68f6",
"172.16.66.25"
],
"name" : "02694w-win10.threebeesco.com",
"id" : "6a3c3ef2-208f-4d6f-90ee-b34f4e3fd160",
"mac" : [
"00:50:56:03:c6:93"
],
"architecture" : "x86_64"
},
"event" : {
"agent_id_status" : "verified",
"ingested" : "2022-04-25T21:51:53Z",
"code" : "4624",
"provider" : "Microsoft-Windows-Security-Auditing",
"kind" : "event",
"created" : "2022-04-25T21:51:15.561Z",
"action" : "logged-in",
"category" : [
"authentication"
],
"type" : [
"start"
],
"dataset" : "system.security",
"outcome" : "success"
},
"user" : {
"domain" : "THREEBEESCO.COM",
"name" : "Administrator",
"id" : "S-1-5-21-308926384-506822093-3341789130-500"
}
}
},
{
"_index" : ".ds-logs-system.security-default-2022.04.12-000003",
"_id" : "Xwy1YoABQhClK0XGpqaL",
"_source" : {
"agent" : {
"name" : "02694w-win10",
"id" : "77a829ec-a564-44d5-9bc4-61eeefbf783a",
"ephemeral_id" : "6c751494-97a3-46aa-bab2-5baf01d17d04",
"type" : "filebeat",
"version" : "8.0.0"
},
"winlog" : {
"computer_name" : "02694w-win10.threebeesco.com",
"process" : {
"pid" : 688,
"thread" : {
"id" : 5160
}
},
"keywords" : [
"Audit Success"
],
"logon" : {
"id" : "0xefac5f"
},
"channel" : "Security",
"event_data" : {
"ServiceAccount" : "LocalSystem",
"SubjectUserName" : "Administrator",
"ServiceStartType" : "3",
"ServiceName" : "KrbSCM",
"ServiceType" : "0x10",
"SubjectDomainName" : "3B",
"SubjectLogonId" : "0xefac5f",
"SubjectUserSid" : "S-1-5-21-308926384-506822093-3341789130-500",
"ServiceFileName" : "\"C:\\Users\\lgreen\\Downloads\\KrbRelayUp.exe\" system 1"
},
"opcode" : "Info",
"record_id" : "59331",
"task" : "Security System Extension",
"event_id" : "4697",
"provider_guid" : "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"activity_id" : "{e22af019-58dd-0002-43f0-2ae2dd58d801}",
"api" : "wineventlog",
"provider_name" : "Microsoft-Windows-Security-Auditing"
},
"log" : {
"level" : "information"
},
"elastic_agent" : {
"id" : "77a829ec-a564-44d5-9bc4-61eeefbf783a",
"version" : "8.0.0",
"snapshot" : false
},
"message" : """A service was installed in the system.
Subject:
Security ID: S-1-5-21-308926384-506822093-3341789130-500
Account Name: Administrator
Account Domain: 3B
Logon ID: 0xEFAC5F
Service Information:
Service Name: KrbSCM
Service File Name: "C:\Users\lgreen\Downloads\KrbRelayUp.exe" system 1
Service Type: 0x10
Service Start Type: 3
Service Account: LocalSystem""",
"input" : {
"type" : "winlog"
},
"@timestamp" : "2022-04-25T21:09:04.561Z",
"ecs" : {
"version" : "1.12.0"
},
"related" : {
"user" : [
"Administrator"
]
},
"data_stream" : {
"namespace" : "default",
"type" : "logs",
"dataset" : "system.security"
},
"service" : {
"name" : "KrbSCM",
"type" : "Win32 Own Process"
},
"host" : {
"hostname" : "02694w-win10",
"os" : {
"build" : "18363.815",
"kernel" : "10.0.18362.815 (WinBuild.160101.0800)",
"name" : "Windows 10 Enterprise",
"family" : "windows",
"type" : "windows",
"version" : "10.0",
"platform" : "windows"
},
"ip" : [
"fe80::7587:a5c1:5a7b:68f6",
"172.16.66.25"
],
"name" : "02694w-win10.threebeesco.com",
"id" : "6a3c3ef2-208f-4d6f-90ee-b34f4e3fd160",
"mac" : [
"00:50:56:03:c6:93"
],
"architecture" : "x86_64"
},
"event" : {
"agent_id_status" : "verified",
"ingested" : "2022-04-25T21:51:53Z",
"code" : "4697",
"provider" : "Microsoft-Windows-Security-Auditing",
"created" : "2022-04-25T21:51:15.561Z",
"kind" : "event",
"action" : "service-installed",
"category" : [
"iam",
"configuration"
],
"type" : [
"admin",
"change"
],
"dataset" : "system.security",
"outcome" : "success"
},
"user" : {
"domain" : "3B",
"name" : "Administrator",
"id" : "S-1-5-21-308926384-506822093-3341789130-500"
}
}
}
]
````
* Update privilege_escalation_krbrelayup_service_creation.toml
* removed duplicate SubjectLogonId from non ecs fields list
(cherry picked from commit 3f047b987e
2022-04-29 12:38:41 +00:00
6a5a59ad00
[New Rule] AWS Redshift Cluster Creation ( #1921 )
...
* Add rule for Redshift data warehouse creation.
* Add fp block.
* Add AWS integration metadata.
* Add timestamp override.
* Add note.
* Update rules/integrations/aws/persistence_redshift_instance_creation.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/aws/persistence_redshift_instance_creation.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update description for redshift instance creation.
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 34655374c1
2022-04-28 18:45:31 +00:00
3d9013a4c0
[Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created ( #1939 )
...
* [Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created
* Update non-ecs-schema.json
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit f050b0ce0c
2022-04-27 12:12:47 +00:00
1d74816afc
Detection of suspicious crontab creation or modification ( #1938 )
...
* Detection of suspicious crontab creation or modification
* Update rules/macos/persistence_crontab_creation.toml
* Update rules/macos/persistence_crontab_creation.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/macos/persistence_crontab_creation.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/macos/persistence_crontab_creation.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 88f71233c9
2022-04-27 06:40:40 +00:00
b025d3a764
[New Rule] Potential Privileged Escalation via KrbRelayUp ( #1940 )
...
* [New Rule] Potential Privileged Escalation via KrbRelayUp
Identifies a suspicious local successful logon event where the Logon Package is kerberos, the remote address is set to localhost and the target user SID is the builtin local Administrator account, this may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from filtered administrator token to a token with full System privileges.
https://github.com/Dec0ne/KrbRelayUp
DATA :
```
{
"_index" : ".ds-logs-system.security-default-2022.04.12-000003",
"_id" : "Cwy1YoABQhClK0XGfqEU",
"_source" : {
"agent" : {
"name" : "02694w-win10",
"id" : "77a829ec-a564-44d5-9bc4-61eeefbf783a",
"type" : "filebeat",
"ephemeral_id" : "6c751494-97a3-46aa-bab2-5baf01d17d04",
"version" : "8.0.0"
},
"process" : {
"name" : "-",
"pid" : 0,
"executable" : "-"
},
"winlog" : {
"computer_name" : "02694w-win10.corpcorp.com",
"process" : {
"pid" : 688,
"thread" : {
"id" : 9384
}
},
"keywords" : [
"Audit Success"
],
"logon" : {
"id" : "0x0",
"type" : "Network"
},
"channel" : "Security",
"event_data" : {
"LogonGuid" : "{daac0d7c-3273-752c-bf5d-ea1c60851819}",
"TargetOutboundDomainName" : "-",
"VirtualAccount" : "%%1843",
"LogonType" : "3",
"TransmittedServices" : "-",
"SubjectLogonId" : "0x0",
"LmPackageName" : "-",
"TargetOutboundUserName" : "-",
"KeyLength" : "0",
"RestrictedAdminMode" : "-",
"TargetLogonId" : "0xebd3d4",
"SubjectUserName" : "-",
"TargetLinkedLogonId" : "0x0",
"ElevatedToken" : "%%1842",
"SubjectDomainName" : "-",
"TargetUserName" : "Administrator",
"ImpersonationLevel" : "%%1833",
"LogonProcessName" : "Kerberos",
"TargetDomainName" : "CORPCORP.COM",
"SubjectUserSid" : "S-1-0-0",
"AuthenticationPackageName" : "Kerberos",
"TargetUserSid" : "S-1-5-21-308926384-506822093-3341789130-500"
},
"opcode" : "Info",
"version" : 2,
"record_id" : "59063",
"task" : "Logon",
"event_id" : "4624",
"provider_guid" : "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"activity_id" : "{e22af019-58dd-0002-43f0-2ae2dd58d801}",
"api" : "wineventlog",
"provider_name" : "Microsoft-Windows-Security-Auditing"
},
"log" : {
"level" : "information"
},
"elastic_agent" : {
"id" : "77a829ec-a564-44d5-9bc4-61eeefbf783a",
"version" : "8.0.0",
"snapshot" : false
},
"source" : {
"port" : 50480,
"ip" : "127.0.0.1",
"domain" : "-"
},
"message" : """An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-308926384-506822093-3341789130-500
Account Name: Administrator
Account Domain: CORPCORP.COM
Logon ID: 0xEBD3D4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {daac0d7c-3273-752c-bf5d-ea1c60851819}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 127.0.0.1
Source Port: 50480
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""",
"input" : {
"type" : "winlog"
},
"@timestamp" : "2022-04-25T21:07:15.306Z",
"ecs" : {
"version" : "1.12.0"
},
"related" : {
"ip" : [
"127.0.0.1"
],
"user" : [
"Administrator"
]
},
"data_stream" : {
"namespace" : "default",
"type" : "logs",
"dataset" : "system.security"
},
"host" : {
"hostname" : "02694w-win10",
"os" : {
"build" : "18363.815",
"kernel" : "10.0.18362.815 (WinBuild.160101.0800)",
"name" : "Windows 10 Enterprise",
"family" : "windows",
"type" : "windows",
"version" : "10.0",
"platform" : "windows"
},
"ip" : [
"fe80::7587:a5c1:5a7b:68f6",
"172.16.66.25"
],
"name" : "02694w-win10.corpcorp.com",
"id" : "6a3c3ef2-208f-4d6f-90ee-b34f4e3fd160",
"mac" : [
"00:50:56:03:c6:93"
],
"architecture" : "x86_64"
},
"event" : {
"agent_id_status" : "verified",
"ingested" : "2022-04-25T21:51:43Z",
"code" : "4624",
"provider" : "Microsoft-Windows-Security-Auditing",
"kind" : "event",
"created" : "2022-04-25T21:51:08.433Z",
"action" : "logged-in",
"category" : [
"authentication"
],
"type" : [
"start"
],
"dataset" : "system.security",
"outcome" : "success"
},
"user" : {
"domain" : "CORPCORP.COM",
"name" : "Administrator",
"id" : "S-1-5-21-308926384-506822093-3341789130-500"
}
}
}
```
* Update privilege_escalation_krbrelayup_suspicious_logon.toml
* Update privilege_escalation_krbrelayup_suspicious_logon.toml
* Update privilege_escalation_krbrelayup_suspicious_logon.toml
* Update privilege_escalation_krbrelayup_suspicious_logon.toml
* Update privilege_escalation_krbrelayup_suspicious_logon.toml
* Update rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update etc/non-ecs-schema.json
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* relinted
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit a0672c7d2a
2022-04-26 23:41:59 +00:00
e3c8981b63
Review & Fix Invalid References ( #1936 )
...
(cherry picked from commit 20d2e92cfe
2022-04-26 20:59:20 +00:00
781043991a
[Rule Tuning] Exclude MS OneDrive/Teams from Component Object Model Hijacking ( #1932 )
...
* adjusted query to exclude OneDrive process name and MS Teams DLL reference in registry data strings
* adjusted formatting for altered query
* removed unecessary string used for reference
* removed unecessary parenthesis from new filters in query
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* added FileSyncConfig.exe for OneDrive, added regsvr32 to Teams DLL filter
* added investigation notes
* removed comment from original rule creation
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 5bf321a505
2022-04-26 15:45:47 +00:00
Samirbous