security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
322162f097a12e8a468a8b42d86a00a8a71fec66
sigma-rules/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml
T
shashank-elastic 63e91c2f12 Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30

77 lines
2.3 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2021/03/22"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
description = """
Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be
indicative of adversary lateral movement preparation by making the added pipe available to everyone.
"""
from = "now-9m"
index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"]
language = "eql"
license = "Elastic License v2"
name = "NullSessionPipe Registry Modification"
references = [
"https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/",
"https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares",
]
risk_score = 47
rule_id = "ddab1f5f-7089-44f5-9fda-de5b11322e77"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Lateral Movement",
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
registry where host.os.type == "windows" and event.type in ("creation", "change") and
registry.path : (
"HKLM\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes",
"\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes"
) and length(registry.data.strings) > 0
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1021"
name = "Remote Services"
reference = "https://attack.mitre.org/techniques/T1021/"
[[rule.threat.technique.subtechnique]]
id = "T1021.002"
name = "SMB/Windows Admin Shares"
reference = "https://attack.mitre.org/techniques/T1021/002/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1112"
name = "Modify Registry"
reference = "https://attack.mitre.org/techniques/T1112/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
Reference in New Issue View Git Blame Copy Permalink