security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
71186c8788b3f85dba122647e8992dcafe29c7e3
sigma-rules/rules/windows/initial_access_unusual_dns_service_file_writes.toml
T
Jonhnathan 0273d118a6 [Rule Tuning] Add endgame support for Windows Rules (#2428) 
* Update impact_deleting_backup_catalogs_with_wbadmin.toml

* Update impact_deleting_backup_catalogs_with_wbadmin.toml

* 1/2

* bump updated_date

* 2/3

* Finale

* Update persistence_evasion_registry_ifeo_injection.toml

* .

* Multiple fixes

* Missing index

* Missing AND
2023-03-06 12:47:11 -03:00

63 lines
2.7 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/07/16"
integration = ["endpoint", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
[rule]
author = ["Elastic"]
description = """
Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which
may indicate activity related to remote code execution or other forms of exploitation.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Unusual File Modification by dns.exe"
note = """## Triage and analysis
### Investigating Unusual File Write
Detection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:
- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.
- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.
## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
"""
references = [
"https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
"https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/",
"https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability",
]
risk_score = 73
rule_id = "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9"
severity = "high"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Elastic Endgame"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "windows" and process.name : "dns.exe" and event.type in ("creation", "deletion", "change") and
not file.name : "dns.log" and not
(file.extension : ("old", "temp", "bak", "dns", "arpa") and file.path : "C:\\Windows\\System32\\dns\\*")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1133"
name = "External Remote Services"
reference = "https://attack.mitre.org/techniques/T1133/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
Reference in New Issue View Git Blame Copy Permalink