sbousseaden
5d9277280c
* Update discovery_adfind_command_activity.toml
* Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_event_logs.toml
* Update defense_evasion_execution_control_panel_suspicious_args.toml
* Update credential_access_dump_registry_hives.toml
* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml
* Update impact_deleting_backup_catalogs_with_wbadmin.toml
* Update defense_evasion_code_signing_policy_modification_builtin_tools.toml
* Update privilege_escalation_uac_bypass_event_viewer.toml
* Update privilege_escalation_uac_bypass_mock_windir.toml
* Update privilege_escalation_unusual_parentchild_relationship.toml
* Update privilege_escalation_unusual_printspooler_childprocess.toml
* Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml
* Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml
* Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
* Update defense_evasion_wsl_kalilinux.toml
* Update initial_access_suspicious_ms_outlook_child_process.toml
* Update initial_access_suspicious_ms_office_child_process.toml
* Update initial_access_suspicious_ms_exchange_worker_child_process.toml
* Update initial_access_suspicious_ms_exchange_process.toml
* Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
* Update impact_volume_shadow_copy_deletion_via_powershell.toml
* Update execution_from_unusual_path_cmdline.toml
* Update execution_enumeration_via_wmiprvse.toml
* Update execution_command_shell_started_by_svchost.toml
* Update discovery_enumerating_domain_trusts_via_nltest.toml
* Update discovery_enumerating_domain_trusts_via_dsquery.toml
* Update defense_evasion_workfolders_control_execution.toml
* Update defense_evasion_iis_httplogging_disabled.toml
* Update defense_evasion_enable_inbound_rdp_with_netsh.toml
* Update defense_evasion_disabling_windows_logs.toml
* Update credential_access_wireless_creds_dumping.toml
* Update credential_access_iis_apppoolsa_pwd_appcmd.toml
* Update credential_access_iis_connectionstrings_dumping.toml
* Update command_and_control_remote_file_copy_desktopimgdownldr.toml
* Update command_and_control_remote_file_copy_mpcmdrun.toml
* Update command_and_control_dns_tunneling_nslookup.toml
* Update persistence_webshell_detection.toml
* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml
* Update privilege_escalation_named_pipe_impersonation.toml
* Update command_and_control_certreq_postdata.toml
* Update defense_evasion_suspicious_certutil_commands.toml
* Update defense_evasion_disable_windows_firewall_rules_with_netsh.toml
* Update defense_evasion_execution_msbuild_started_unusal_process.toml
* Update persistence_system_shells_via_services.toml
* Update execution_suspicious_cmd_wmi.toml
* Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
* Update impact_deleting_backup_catalogs_with_wbadmin.toml
* Update credential_access_dump_registry_hives.toml
* Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_event_logs.toml
* Update defense_evasion_code_signing_policy_modification_builtin_tools.toml
* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml
* Update defense_evasion_execution_control_panel_suspicious_args.toml
* Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
* Update defense_evasion_wsl_kalilinux.toml
* Update discovery_adfind_command_activity.toml
* Update initial_access_suspicious_ms_outlook_child_process.toml
* Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml
* Update privilege_escalation_uac_bypass_event_viewer.toml
* Update privilege_escalation_uac_bypass_mock_windir.toml
* Update privilege_escalation_unusual_parentchild_relationship.toml
* Update privilege_escalation_unusual_printspooler_childprocess.toml
* Update defense_evasion_defender_exclusion_via_powershell.toml
* Update defense_evasion_execution_lolbas_wuauclt.toml
* Update defense_evasion_execution_msbuild_started_by_script.toml
* Update defense_evasion_unusual_dir_ads.toml
* Update defense_evasion_wsl_child_process.toml
* Update defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_enabled_via_dism.toml
* Update discovery_admin_recon.toml
* Update initial_access_suspicious_ms_exchange_worker_child_process.toml
* Update lateral_movement_alternate_creds_pth.toml
* Update persistence_via_windows_management_instrumentation_event_subscription.toml
* Update persistence_via_telemetrycontroller_scheduledtask_hijack.toml
* Update persistence_via_application_shimming.toml
* Update defense_evasion_execution_msbuild_started_by_script.toml
* Update defense_evasion_execution_msbuild_started_by_script.toml
* Update defense_evasion_execution_lolbas_wuauclt.toml
* Update defense_evasion_execution_msbuild_started_unusal_process.toml
* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml
* Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update discovery_adfind_command_activity.toml
* Update defense_evasion_execution_msbuild_started_unusal_process.toml
* Update execution_command_shell_started_by_svchost.toml
* Update initial_access_suspicious_ms_exchange_worker_child_process.toml
* Update execution_command_shell_started_by_svchost.toml
* Update execution_command_shell_started_by_svchost.toml
* Update execution_command_shell_started_by_svchost.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
(cherry picked from commit 27262a585b)
141 lines
6.1 KiB
TOML
141 lines
6.1 KiB
TOML
[metadata]
|
|
creation_date = "2022/11/01"
|
|
integration = ["endpoint", "windows", "system"]
|
|
maturity = "production"
|
|
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
|
min_stack_version = "8.3.0"
|
|
updated_date = "2024/01/16"
|
|
|
|
[transform]
|
|
[[transform.osquery]]
|
|
label = "Osquery - Retrieve DNS Cache"
|
|
query = "SELECT * FROM dns_cache"
|
|
|
|
[[transform.osquery]]
|
|
label = "Osquery - Retrieve All Services"
|
|
query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"
|
|
|
|
[[transform.osquery]]
|
|
label = "Osquery - Retrieve Services Running on User Accounts"
|
|
query = """
|
|
SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE
|
|
NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR
|
|
user_account == null)
|
|
"""
|
|
|
|
[[transform.osquery]]
|
|
label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link"
|
|
query = """
|
|
SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,
|
|
services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =
|
|
authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'
|
|
"""
|
|
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = "Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh."
|
|
from = "now-9m"
|
|
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
|
|
language = "eql"
|
|
license = "Elastic License v2"
|
|
name = "Wireless Credential Dumping using Netsh Command"
|
|
note = """## Triage and analysis
|
|
|
|
### Investigating Wireless Credential Dumping using Netsh Command
|
|
|
|
Netsh is a Windows command line tool used for network configuration and troubleshooting. It enables the management of network settings and adapters, wireless network profiles, and other network-related tasks.
|
|
|
|
This rule looks for patterns used to dump credentials from wireless network profiles using Netsh, which can enable attackers to bring their own devices to the network.
|
|
|
|
> **Note**:
|
|
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
|
|
|
|
#### Possible investigation steps
|
|
|
|
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
|
|
- Investigate other alerts associated with the user/host during the past 48 hours.
|
|
- Inspect the host for suspicious or abnormal behavior in the alert timeframe:
|
|
- Observe and collect information about the following activities in the alert subject host:
|
|
- Attempts to contact external domains and addresses.
|
|
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.
|
|
- Examine the DNS cache for suspicious or anomalous entries.
|
|
- $osquery_0
|
|
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.
|
|
- Examine the host services for suspicious or anomalous entries.
|
|
- $osquery_1
|
|
- $osquery_2
|
|
- $osquery_3
|
|
|
|
### False positive analysis
|
|
|
|
- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.
|
|
|
|
### Response and remediation
|
|
|
|
- Initiate the incident response process based on the outcome of the triage.
|
|
- Isolate the involved host to prevent further post-compromise behavior.
|
|
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
|
|
- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.
|
|
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
|
|
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
|
|
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
|
|
"""
|
|
references = [
|
|
"https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts",
|
|
"https://www.geeksforgeeks.org/how-to-find-the-wi-fi-password-using-cmd-in-windows/",
|
|
]
|
|
risk_score = 73
|
|
rule_id = "2de87d72-ee0c-43e2-b975-5f0b029ac600"
|
|
severity = "high"
|
|
tags = [
|
|
"Domain: Endpoint",
|
|
"OS: Windows",
|
|
"Use Case: Threat Detection",
|
|
"Tactic: Credential Access",
|
|
"Tactic: Discovery",
|
|
"Data Source: Elastic Endgame",
|
|
"Resources: Investigation Guide",
|
|
"Data Source: Elastic Defend"
|
|
]
|
|
timestamp_override = "event.ingested"
|
|
type = "eql"
|
|
|
|
query = '''
|
|
process where host.os.type == "windows" and event.type == "start" and
|
|
(process.name : "netsh.exe" or ?process.pe.original_file_name == "netsh.exe") and
|
|
process.args : "wlan" and process.args : "key*clear"
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1003"
|
|
name = "OS Credential Dumping"
|
|
reference = "https://attack.mitre.org/techniques/T1003/"
|
|
|
|
[[rule.threat.technique]]
|
|
id = "T1555"
|
|
name = "Credentials from Password Stores"
|
|
reference = "https://attack.mitre.org/techniques/T1555/"
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0006"
|
|
name = "Credential Access"
|
|
reference = "https://attack.mitre.org/tactics/TA0006/"
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1082"
|
|
name = "System Information Discovery"
|
|
reference = "https://attack.mitre.org/techniques/T1082/"
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0007"
|
|
name = "Discovery"
|
|
reference = "https://attack.mitre.org/tactics/TA0007/"
|
|
|