Jonhnathan
f584fb6e31
* [Security Content] Adjust Mitre Att&ck Mappings - Windows Rules * Fix dates * Fix unit test errors * updated tags and fixed branch conflicts updated tags and fixed branch conflicts * description nit * Reverting unintended changes * Update initial_access_suspicious_ms_office_child_process.toml --------- Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com>
77 lines
2.4 KiB
TOML
77 lines
2.4 KiB
TOML
[metadata]
|
|
creation_date = "2022/10/13"
|
|
integration = ["endpoint", "windows"]
|
|
maturity = "production"
|
|
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
|
min_stack_version = "8.3.0"
|
|
updated_date = "2023/10/13"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Identifies the creation or modification of a PowerShell profile. PowerShell profile is a script that is executed when
|
|
PowerShell starts to customize the user environment, which can be abused by attackers to persist in a environment where
|
|
PowerShell is common.
|
|
"""
|
|
from = "now-9m"
|
|
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
|
|
language = "eql"
|
|
license = "Elastic License v2"
|
|
name = "Persistence via PowerShell profile"
|
|
references = [
|
|
"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles",
|
|
"https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/",
|
|
]
|
|
risk_score = 47
|
|
rule_id = "5cf6397e-eb91-4f31-8951-9f0eaa755a31"
|
|
severity = "medium"
|
|
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
|
|
timestamp_override = "event.ingested"
|
|
type = "eql"
|
|
|
|
query = '''
|
|
file where host.os.type == "windows" and event.type != "deletion" and
|
|
file.path : ("?:\\Users\\*\\Documents\\WindowsPowerShell\\*",
|
|
"?:\\Users\\*\\Documents\\PowerShell\\*",
|
|
"?:\\Windows\\System32\\WindowsPowerShell\\*") and
|
|
file.name : ("profile.ps1", "Microsoft.Powershell_profile.ps1")
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1546"
|
|
name = "Event Triggered Execution"
|
|
reference = "https://attack.mitre.org/techniques/T1546/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1546.013"
|
|
name = "PowerShell Profile"
|
|
reference = "https://attack.mitre.org/techniques/T1546/013/"
|
|
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0003"
|
|
name = "Persistence"
|
|
reference = "https://attack.mitre.org/tactics/TA0003/"
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1546"
|
|
name = "Event Triggered Execution"
|
|
reference = "https://attack.mitre.org/techniques/T1546/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1546.013"
|
|
name = "PowerShell Profile"
|
|
reference = "https://attack.mitre.org/techniques/T1546/013/"
|
|
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0004"
|
|
name = "Privilege Escalation"
|
|
reference = "https://attack.mitre.org/tactics/TA0004/"
|
|
|