dstepanic17
9ff3873ee7
* [rule-tuning] Adding more context with triage/investigation * Adding mimikatz rule * Fixed updated date on mimikatz rule * Adding Defender update * Adding scheduled task * Adding AdFind * Adding rare process * Adding cloudtrail country * Adding cloudtrail spike * Adding threat intel * Fixed minor spelling/syntax * Fixed minor spelling/syntax p2 * Update rules/cross-platform/threat_intel_module_match.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/integrations/aws/ml_cloudtrail_error_message_spike.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/ml/ml_rare_process_by_host_windows.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_mimikatz_powershell_module.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_mimikatz_powershell_module.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Removed MITRE link, added Microsoft * Update ml_cloudtrail_error_message_spike.toml * Update ml_cloudtrail_rare_method_by_country.toml * Update ml_rare_process_by_host_windows.toml * Update credential_access_mimikatz_powershell_module.toml * Update defense_evasion_defender_exclusion_via_powershell.toml * Update discovery_adfind_command_activity.toml * Update lateral_movement_dns_server_overflow.toml * Update lateral_movement_scheduled_task_target.toml * Update persistence_evasion_registry_startup_shell_folder_modified.toml * Update defense_evasion_defender_exclusion_via_powershell.toml * Update lateral_movement_scheduled_task_target.toml * Update persistence_evasion_registry_startup_shell_folder_modified.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
93 lines
4.1 KiB
TOML
93 lines
4.1 KiB
TOML
[metadata]
|
|
creation_date = "2021/03/15"
|
|
maturity = "production"
|
|
updated_date = "2021/09/10"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass
|
|
detections monitoring file creation in the Windows Startup folder.
|
|
"""
|
|
from = "now-9m"
|
|
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
|
|
language = "eql"
|
|
license = "Elastic License v2"
|
|
name = "Suspicious Startup Shell Folder Modification"
|
|
note = """## Triage and analysis
|
|
|
|
### Investigating Suspicious Startup Shell Activity
|
|
|
|
Techniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for
|
|
persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this
|
|
behavior may evade existing AV/EDR solutions. Another preference is that these programs might run with higher privileges
|
|
which can be ideal for an attacker.
|
|
|
|
#### Possible investigation steps:
|
|
- Review the source process and related file tied to the Windows Registry entry
|
|
- Validate the activity is not related to planned patches, updates, network administrator activity or legitimate software
|
|
installations
|
|
- Determine if activity is unique by validating if other machines in same organization have similar entry
|
|
|
|
### False Positive Analysis
|
|
- There is a high possibility of benign legitimate programs being added to Shell folders. This activity could be based
|
|
on new software installations, patches, or any kind of network administrator related activity. Before entering further
|
|
investigation, this activity should be validated that is it not related to benign activity
|
|
|
|
### Related Rules
|
|
- Startup or Run Key Registry Modification
|
|
- Persistent Scripts in the Startup Directory
|
|
|
|
### Response and Remediation
|
|
- Activity should first be validated as a true positive event if so then immediate response should be taken to review,
|
|
investigate and potentially isolate activity to prevent further post-compromise behavior
|
|
- The respective binary or program tied to this persistence method should be further analyzed and reviewed to understand
|
|
it's behavior and capabilities
|
|
- Since this activity is considered post-exploitation behavior, it's important to understand how the behavior was first
|
|
initialized such as through a macro-enabled document that was attached in a phishing email. By understanding the source
|
|
of the attack, this information can then be used to search for similar indicators on other machines in the same environment.
|
|
"""
|
|
risk_score = 73
|
|
rule_id = "c8b150f0-0164-475b-a75e-74b47800a9ff"
|
|
severity = "high"
|
|
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"]
|
|
timestamp_override = "event.ingested"
|
|
type = "eql"
|
|
|
|
query = '''
|
|
registry where
|
|
registry.path : (
|
|
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Common Startup",
|
|
"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Startup",
|
|
"HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Startup",
|
|
"HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Startup"
|
|
) and
|
|
registry.data.strings != null and
|
|
/* Normal Startup Folder Paths */
|
|
not registry.data.strings : (
|
|
"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup",
|
|
"%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup",
|
|
"%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup",
|
|
"C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"
|
|
)
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1547"
|
|
name = "Boot or Logon Autostart Execution"
|
|
reference = "https://attack.mitre.org/techniques/T1547/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1547.001"
|
|
name = "Registry Run Keys / Startup Folder"
|
|
reference = "https://attack.mitre.org/techniques/T1547/001/"
|
|
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0003"
|
|
name = "Persistence"
|
|
reference = "https://attack.mitre.org/tactics/TA0003/"
|