security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1c10c37468929ca3bb2a4cfd921b0896b4e03e70
sigma-rules/rules/windows/execution_from_unusual_path_cmdline.toml
T
sbousseaden 27262a585b [Tuning] Add logs-system. index where applicable (#3390) 
* Update discovery_adfind_command_activity.toml

* Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_event_logs.toml

* Update defense_evasion_execution_control_panel_suspicious_args.toml

* Update credential_access_dump_registry_hives.toml

* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml

* Update impact_deleting_backup_catalogs_with_wbadmin.toml

* Update defense_evasion_code_signing_policy_modification_builtin_tools.toml

* Update privilege_escalation_uac_bypass_event_viewer.toml

* Update privilege_escalation_uac_bypass_mock_windir.toml

* Update privilege_escalation_unusual_parentchild_relationship.toml

* Update privilege_escalation_unusual_printspooler_childprocess.toml

* Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml

* Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml

* Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml

* Update defense_evasion_wsl_kalilinux.toml

* Update initial_access_suspicious_ms_outlook_child_process.toml

* Update initial_access_suspicious_ms_office_child_process.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update initial_access_suspicious_ms_exchange_process.toml

* Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml

* Update impact_volume_shadow_copy_deletion_via_powershell.toml

* Update execution_from_unusual_path_cmdline.toml

* Update execution_enumeration_via_wmiprvse.toml

* Update execution_command_shell_started_by_svchost.toml

* Update discovery_enumerating_domain_trusts_via_nltest.toml

* Update discovery_enumerating_domain_trusts_via_dsquery.toml

* Update defense_evasion_workfolders_control_execution.toml

* Update defense_evasion_iis_httplogging_disabled.toml

* Update defense_evasion_enable_inbound_rdp_with_netsh.toml

* Update defense_evasion_disabling_windows_logs.toml

* Update credential_access_wireless_creds_dumping.toml

* Update credential_access_iis_apppoolsa_pwd_appcmd.toml

* Update credential_access_iis_connectionstrings_dumping.toml

* Update command_and_control_remote_file_copy_desktopimgdownldr.toml

* Update command_and_control_remote_file_copy_mpcmdrun.toml

* Update command_and_control_dns_tunneling_nslookup.toml

* Update persistence_webshell_detection.toml

* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml

* Update privilege_escalation_named_pipe_impersonation.toml

* Update command_and_control_certreq_postdata.toml

* Update defense_evasion_suspicious_certutil_commands.toml

* Update defense_evasion_disable_windows_firewall_rules_with_netsh.toml

* Update defense_evasion_execution_msbuild_started_unusal_process.toml

* Update persistence_system_shells_via_services.toml

* Update execution_suspicious_cmd_wmi.toml

* Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml

* Update impact_deleting_backup_catalogs_with_wbadmin.toml

* Update credential_access_dump_registry_hives.toml

* Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_event_logs.toml

* Update defense_evasion_code_signing_policy_modification_builtin_tools.toml

* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml

* Update defense_evasion_execution_control_panel_suspicious_args.toml

* Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml

* Update defense_evasion_wsl_kalilinux.toml

* Update discovery_adfind_command_activity.toml

* Update initial_access_suspicious_ms_outlook_child_process.toml

* Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml

* Update privilege_escalation_uac_bypass_event_viewer.toml

* Update privilege_escalation_uac_bypass_mock_windir.toml

* Update privilege_escalation_unusual_parentchild_relationship.toml

* Update privilege_escalation_unusual_printspooler_childprocess.toml

* Update defense_evasion_defender_exclusion_via_powershell.toml

* Update defense_evasion_execution_lolbas_wuauclt.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_unusual_dir_ads.toml

* Update defense_evasion_wsl_child_process.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_enabled_via_dism.toml

* Update discovery_admin_recon.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update lateral_movement_alternate_creds_pth.toml

* Update persistence_via_windows_management_instrumentation_event_subscription.toml

* Update persistence_via_telemetrycontroller_scheduledtask_hijack.toml

* Update persistence_via_application_shimming.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_execution_lolbas_wuauclt.toml

* Update defense_evasion_execution_msbuild_started_unusal_process.toml

* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml

* Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update discovery_adfind_command_activity.toml

* Update defense_evasion_execution_msbuild_started_unusal_process.toml

* Update execution_command_shell_started_by_svchost.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update execution_command_shell_started_by_svchost.toml

* Update execution_command_shell_started_by_svchost.toml

* Update execution_command_shell_started_by_svchost.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
2024-01-17 13:49:59 +00:00

266 lines
12 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/10/30"
integration = ["endpoint", "windows", "system"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/01/16"
[transform]
[[transform.osquery]]
label = "Osquery - Retrieve DNS Cache"
query = "SELECT * FROM dns_cache"
[[transform.osquery]]
label = "Osquery - Retrieve All Services"
query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"
[[transform.osquery]]
label = "Osquery - Retrieve Services Running on User Accounts"
query = """
SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE
NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR
user_account == null)
"""
[[transform.osquery]]
label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link"
query = """
SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,
services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =
authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'
"""
[rule]
author = ["Elastic"]
description = """
Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide
malware in trusted paths.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
language = "eql"
license = "Elastic License v2"
name = "Execution from Unusual Directory - Command Line"
note = """## Triage and analysis
### Investigating Execution from Unusual Directory - Command Line
This rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to hide malware and make the execution less suspicious.
> **Note**:
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
#### Possible investigation steps
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
- Investigate other alerts associated with the user/host during the past 48 hours.
- Examine the command line to determine which commands or scripts were executed.
- Examine the host for derived artifacts that indicate suspicious activities:
- Analyze the script using a private sandboxed analysis system.
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
- Attempts to contact external domains and addresses.
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.
- Examine the DNS cache for suspicious or anomalous entries.
- $osquery_0
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.
- Examine the host services for suspicious or anomalous entries.
- $osquery_1
- $osquery_2
- $osquery_3
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.
### False positive analysis
- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of parent process executable and command line conditions.
### Related rules
- Process Execution from an Unusual Directory - ebfe1448-7fac-4d59-acea-181bd89b1f7f
### Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved host to prevent further post-compromise behavior.
- If the triage identified malware, search the environment for additional compromised hosts.
- Implement temporary network rules, procedures, and segmentation to contain the malware.
- Stop suspicious processes.
- Immediately block the identified indicators of compromise (IoCs).
- Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.
- Remove and block malicious artifacts identified during triage.
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
"""
risk_score = 47
rule_id = "cff92c41-2225-4763-b4ce-6f71e5bda5e6"
setup="""
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Execution",
"Tactic: Defense Evasion",
"Resources: Investigation Guide",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "windows" and event.type == "start" and
process.name : ("wscript.exe",
"cscript.exe",
"rundll32.exe",
"regsvr32.exe",
"cmstp.exe",
"RegAsm.exe",
"installutil.exe",
"mshta.exe",
"RegSvcs.exe",
"powershell.exe",
"pwsh.exe",
"cmd.exe") and
/* add suspicious execution paths here */
process.args : ("C:\\PerfLogs\\*",
"C:\\Users\\Public\\*",
"C:\\Windows\\Tasks\\*",
"C:\\Intel\\*",
"C:\\AMD\\Temp\\*",
"C:\\Windows\\AppReadiness\\*",
"C:\\Windows\\ServiceState\\*",
"C:\\Windows\\security\\*",
"C:\\Windows\\IdentityCRL\\*",
"C:\\Windows\\Branding\\*",
"C:\\Windows\\csc\\*",
"C:\\Windows\\DigitalLocker\\*",
"C:\\Windows\\en-US\\*",
"C:\\Windows\\wlansvc\\*",
"C:\\Windows\\Prefetch\\*",
"C:\\Windows\\Fonts\\*",
"C:\\Windows\\diagnostics\\*",
"C:\\Windows\\TAPI\\*",
"C:\\Windows\\INF\\*",
"C:\\Windows\\System32\\Speech\\*",
"C:\\windows\\tracing\\*",
"c:\\windows\\IME\\*",
"c:\\Windows\\Performance\\*",
"c:\\windows\\intel\\*",
"c:\\windows\\ms\\*",
"C:\\Windows\\dot3svc\\*",
"C:\\Windows\\panther\\*",
"C:\\Windows\\RemotePackages\\*",
"C:\\Windows\\OCR\\*",
"C:\\Windows\\appcompat\\*",
"C:\\Windows\\apppatch\\*",
"C:\\Windows\\addins\\*",
"C:\\Windows\\Setup\\*",
"C:\\Windows\\Help\\*",
"C:\\Windows\\SKB\\*",
"C:\\Windows\\Vss\\*",
"C:\\Windows\\servicing\\*",
"C:\\Windows\\CbsTemp\\*",
"C:\\Windows\\Logs\\*",
"C:\\Windows\\WaaS\\*",
"C:\\Windows\\twain_32\\*",
"C:\\Windows\\ShellExperiences\\*",
"C:\\Windows\\ShellComponents\\*",
"C:\\Windows\\PLA\\*",
"C:\\Windows\\Migration\\*",
"C:\\Windows\\debug\\*",
"C:\\Windows\\Cursors\\*",
"C:\\Windows\\Containers\\*",
"C:\\Windows\\Boot\\*",
"C:\\Windows\\bcastdvr\\*",
"C:\\Windows\\TextInput\\*",
"C:\\Windows\\security\\*",
"C:\\Windows\\schemas\\*",
"C:\\Windows\\SchCache\\*",
"C:\\Windows\\Resources\\*",
"C:\\Windows\\rescache\\*",
"C:\\Windows\\Provisioning\\*",
"C:\\Windows\\PrintDialog\\*",
"C:\\Windows\\PolicyDefinitions\\*",
"C:\\Windows\\media\\*",
"C:\\Windows\\Globalization\\*",
"C:\\Windows\\L2Schemas\\*",
"C:\\Windows\\LiveKernelReports\\*",
"C:\\Windows\\ModemLogs\\*",
"C:\\Windows\\ImmersiveControlPanel\\*",
"C:\\$Recycle.Bin\\*") and
/* noisy FP patterns */
not process.parent.executable : ("C:\\WINDOWS\\System32\\DriverStore\\FileRepository\\*\\igfxCUIService*.exe",
"C:\\Windows\\System32\\spacedeskService.exe",
"C:\\Program Files\\Dell\\SupportAssistAgent\\SRE\\SRE.exe") and
not (process.name : "rundll32.exe" and
process.args : ("uxtheme.dll,#64",
"PRINTUI.DLL,PrintUIEntry",
"?:\\Windows\\System32\\FirewallControlPanel.dll,ShowNotificationDialog",
"?:\\WINDOWS\\system32\\Speech\\SpeechUX\\sapi.cpl",
"?:\\Windows\\system32\\shell32.dll,OpenAs_RunDLL")) and
not (process.name : "cscript.exe" and process.args : "?:\\WINDOWS\\system32\\calluxxprovider.vbs") and
not (process.name : "cmd.exe" and process.args : "?:\\WINDOWS\\system32\\powercfg.exe" and process.args : "?:\\WINDOWS\\inf\\PowerPlan.log") and
not (process.name : "regsvr32.exe" and process.args : "?:\\Windows\\Help\\OEM\\scripts\\checkmui.dll") and
not (process.name : "cmd.exe" and
process.parent.executable : ("?:\\Windows\\System32\\oobe\\windeploy.exe",
"?:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe",
"?:\\Windows\\System32\\igfxCUIService.exe",
"?:\\Windows\\Temp\\IE*.tmp\\IE*-support\\ienrcore.exe"))
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.003"
name = "Windows Command Shell"
reference = "https://attack.mitre.org/techniques/T1059/003/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1036"
name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/"
[[rule.threat.technique.subtechnique]]
id = "T1036.005"
name = "Match Legitimate Name or Location"
reference = "https://attack.mitre.org/techniques/T1036/005/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
Reference in New Issue View Git Blame Copy Permalink