Justin Ibarra
6bdfddac8e
* Expand timestamp_override tests * removed timestamp_override from eql sequence rules * add config entry for eql rules with beats index and t_o * add timestamp_override to missing fields
95 lines
3.0 KiB
TOML
95 lines
3.0 KiB
TOML
[metadata]
|
|
creation_date = "2020/01/07"
|
|
maturity = "production"
|
|
updated_date = "2022/03/31"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one
|
|
that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate
|
|
privileges via privileged file write vulnerabilities.
|
|
"""
|
|
from = "now-9m"
|
|
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
|
|
language = "eql"
|
|
license = "Elastic License v2"
|
|
name = "Suspicious DLL Loaded for Persistence or Privilege Escalation"
|
|
note = """## Config
|
|
|
|
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
|
|
"""
|
|
references = [
|
|
"https://itm4n.github.io/windows-dll-hijacking-clarified/",
|
|
"http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html",
|
|
"https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html",
|
|
"https://shellz.club/edgegdi-dll-for-persistence-and-lateral-movement/",
|
|
"https://windows-internals.com/faxing-your-way-to-system/",
|
|
"http://waleedassar.blogspot.com/2013/01/wow64logdll.html",
|
|
]
|
|
risk_score = 73
|
|
rule_id = "bfeaf89b-a2a7-48a3-817f-e41829dc61ee"
|
|
severity = "high"
|
|
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Privilege Escalation"]
|
|
timestamp_override = "event.ingested"
|
|
type = "eql"
|
|
|
|
query = '''
|
|
library where dll.name :
|
|
(
|
|
"wlbsctrl.dll",
|
|
"wbemcomn.dll",
|
|
"WptsExtensions.dll",
|
|
"Tsmsisrv.dll",
|
|
"TSVIPSrv.dll",
|
|
"Msfte.dll",
|
|
"wow64log.dll",
|
|
"WindowsCoreDeviceInfo.dll",
|
|
"Ualapi.dll",
|
|
"wlanhlp.dll",
|
|
"phoneinfo.dll",
|
|
"EdgeGdi.dll",
|
|
"cdpsgshims.dll",
|
|
"windowsperformancerecordercontrol.dll",
|
|
"diagtrack_win.dll"
|
|
) and
|
|
not (dll.code_signature.subject_name : ("Microsoft Windows", "Microsoft Corporation") and dll.code_signature.status : "trusted")
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1574"
|
|
name = "Hijack Execution Flow"
|
|
reference = "https://attack.mitre.org/techniques/T1574/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1574.002"
|
|
name = "DLL Side-Loading"
|
|
reference = "https://attack.mitre.org/techniques/T1574/002/"
|
|
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0004"
|
|
name = "Privilege Escalation"
|
|
reference = "https://attack.mitre.org/tactics/TA0004/"
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1574"
|
|
name = "Hijack Execution Flow"
|
|
reference = "https://attack.mitre.org/techniques/T1574/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1574.001"
|
|
name = "DLL Search Order Hijacking"
|
|
reference = "https://attack.mitre.org/techniques/T1574/001/"
|
|
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0003"
|
|
name = "Persistence"
|
|
reference = "https://attack.mitre.org/tactics/TA0003/"
|
|
|