Terrance DeJesus
f0b2cb7c87
* added 'Uncommon Process Execution from Suspicious Directory' hunt * adds all linux hunting files * moves linux hunting files to queries folder * adds generated docs * fixing windows hunts * fixing windows hunts * updated README * Removed 2, updated a few, changed some names/descriptions and added list of str * updated windows for language schema changes, regenerated docs; updated README and index * changed UUIDs to hex only with standard hyphen format * removing unecessary docs * Fixed queries based on Samir feedback * ++ * regenerating linux docs * Update hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/command_and_control_via_unusual_file_downloads_from_source_addresses.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/defense_evasion_via_capitalized_process_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Updates * Update * Update hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Updates * regenerating linux docs --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
45 lines
2.7 KiB
TOML
45 lines
2.7 KiB
TOML
[hunt]
|
|
author = "Elastic"
|
|
description = """
|
|
This hunt helps identify drivers loaded once on a unique host and with a unique hash over a 15 day period of time. Advanced adversaries may leverage legit vulnerable driver to tamper with existing defences or execute code in Kernel mode.
|
|
"""
|
|
integration = ["endpoint", "windows", "system"]
|
|
uuid = "cebfbb4d-5b2a-44d8-b763-5512b654fb26"
|
|
name = "Low Occurrence of Drivers Loaded on Unique Hosts"
|
|
language = ["ES|QL"]
|
|
license = "Elastic License v2"
|
|
notes = [
|
|
"This hunt has three optional queries, one for Elastic Defend data, another for Sysmon data and the last one for Windows 7045 events.",
|
|
"Further investigation can be done pivoting by `dll.pe.imphash` or `dll.name.`",
|
|
"`dll.Ext.relative_file_creation_time` is used in the first query to limit the result to recently dropped drivers (populated in Elastic Defend).",
|
|
"Aggregation can also be done by `dll.hash.sha256` / `file.hash.sha256` but will return more results.",
|
|
"Bring Your Own Vulnerable Driver (BYOVD) are all signed and not malicious, further investigation should be done to check the surrounding events (service creation, process that dropped the driver etc.).",
|
|
]
|
|
mitre = [ "T1068"]
|
|
query = [
|
|
'''
|
|
from logs-endpoint.events.library-*
|
|
| where @timestamp > now() - 15 day
|
|
| where host.os.family == "windows" and event.category == "driver" and event.action == "load" and dll.Ext.relative_file_creation_time <= 900
|
|
| stats host_count = count_distinct(host.id), total_count = count(*), hash_count = count_distinct(dll.hash.sha256) by dll.name, dll.pe.imphash
|
|
| where host_count == 1 and total_count == 1 and hash_count == 1
|
|
''',
|
|
'''
|
|
from logs-windows.sysmon_operational-*
|
|
| where @timestamp > now() - 15 day
|
|
| where host.os.family == "windows" and event.category == "driver"
|
|
| stats host_count = count_distinct(host.id), total_count = count(*), hash_count = count_distinct(file.hash.sha256) by file.name
|
|
| where host_count == 1 and total_count == 1 and hash_count == 1
|
|
''',
|
|
'''
|
|
from logs-system.system-*
|
|
| where @timestamp > now() - 15day
|
|
| where host.os.family == "windows" and event.code == "7045" and
|
|
winlog.event_data.ServiceType == "kernel mode driver"
|
|
| eval ServiceFileName = replace(winlog.event_data.ImagePath, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "")
|
|
| eval ServiceFileName = replace(ServiceFileName, """.inf_amd[a-z0-9]{5,}\\""", "_replaced_")
|
|
| eval ServiceFileName = replace(ServiceFileName, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\")
|
|
| stats cc = count(*), hosts = count_distinct(host.id) by ServiceFileName
|
|
| where hosts == 1 and cc == 1
|
|
'''
|
|
] |