shashank-elastic
261 lines
8.5 KiB
TOML
261 lines
8.5 KiB
TOML
[metadata]
|
|
creation_date = "2023/07/06"
|
|
integration = ["windows"]
|
|
maturity = "production"
|
|
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
|
min_stack_version = "8.3.0"
|
|
updated_date = "2023/10/19"
|
|
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Identifies the use of Cmdlets and methods related to discovery activities. Attackers can use these to perform various
|
|
situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.
|
|
"""
|
|
from = "now-119m"
|
|
interval = "60m"
|
|
index = ["winlogbeat-*", "logs-windows.*"]
|
|
language = "kuery"
|
|
license = "Elastic License v2"
|
|
name = "PowerShell Script with Discovery Capabilities"
|
|
risk_score = 21
|
|
rule_id = "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be"
|
|
setup = """
|
|
The 'PowerShell Script Block Logging' logging policy must be enabled.
|
|
Steps to implement the logging policy with Advanced Audit Configuration:
|
|
|
|
```
|
|
Computer Configuration >
|
|
Administrative Templates >
|
|
Windows PowerShell >
|
|
Turn on PowerShell Script Block Logging (Enable)
|
|
```
|
|
|
|
Steps to implement the logging policy via registry:
|
|
|
|
```
|
|
reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
|
|
```
|
|
"""
|
|
severity = "low"
|
|
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Discovery", "Data Source: PowerShell Logs", "Rule Type: BBR"]
|
|
timestamp_override = "event.ingested"
|
|
type = "query"
|
|
building_block_type = "default"
|
|
|
|
query = '''
|
|
event.category:process and host.os.type:windows and
|
|
powershell.file.script_block_text : (
|
|
(
|
|
("Get-ItemProperty" or "Get-Item") and "-Path"
|
|
) or
|
|
(
|
|
"Get-ADDefaultDomainPasswordPolicy" or
|
|
"Get-ADDomain" or "Get-ComputerInfo" or
|
|
"Get-Disk" or "Get-DnsClientCache" or
|
|
"Get-GPOReport" or "Get-HotFix" or
|
|
"Get-LocalUser" or "Get-NetFirewallProfile" or
|
|
"get-nettcpconnection" or "Get-NetAdapter" or
|
|
"Get-PhysicalDisk" or "Get-Process" or
|
|
"Get-PSDrive" or "Get-Service" or
|
|
"Get-SmbShare" or "Get-WinEvent"
|
|
) or
|
|
(
|
|
("Get-WmiObject" or "gwmi" or "Get-CimInstance" or
|
|
"gcim" or "Management.ManagementObjectSearcher" or
|
|
"System.Management.ManagementClass" or
|
|
"[WmiClass]" or "[WMI]") and
|
|
(
|
|
"AntiVirusProduct" or "CIM_BIOSElement" or "CIM_ComputerSystem" or "CIM_Product" or "CIM_DiskDrive" or
|
|
"CIM_LogicalDisk" or "CIM_NetworkAdapter" or "CIM_StorageVolume" or "CIM_OperatingSystem" or
|
|
"CIM_Process" or "CIM_Service" or "MSFT_DNSClientCache" or "Win32_BIOS" or "Win32_ComputerSystem" or
|
|
"Win32_ComputerSystemProduct" or "Win32_DiskDrive" or "win32_environment" or "Win32_Group" or
|
|
"Win32_groupuser" or "Win32_IP4RouteTable" or "Win32_logicaldisk" or "Win32_MappedLogicalDisk" or
|
|
"Win32_NetworkAdapterConfiguration" or "win32_ntdomain" or "Win32_OperatingSystem" or
|
|
"Win32_PnPEntity" or "Win32_Process" or "Win32_Product" or "Win32_quickfixengineering" or
|
|
"win32_service" or "Win32_Share" or "Win32_UserAccount"
|
|
)
|
|
) or
|
|
(
|
|
("ADSI" and "WinNT") or
|
|
("Get-ChildItem" and "sysmondrv.sys") or
|
|
("::GetIPGlobalProperties()" and "GetActiveTcpConnections()") or
|
|
("ServiceProcess.ServiceController" and "::GetServices") or
|
|
("Diagnostics.Process" and "::GetProcesses") or
|
|
("DirectoryServices.Protocols.GroupPolicy" and ".GetGPOReport()") or
|
|
("DirectoryServices.AccountManagement" and "PrincipalSearcher") or
|
|
("NetFwTypeLib.NetFwMgr" and "CurrentProfile") or
|
|
("NetworkInformation.NetworkInterface" and "GetAllNetworkInterfaces") or
|
|
("Automation.PSDriveInfo") or
|
|
("Microsoft.Win32.RegistryHive")
|
|
) or
|
|
(
|
|
"Get-ItemProperty" and
|
|
(
|
|
"\Control\SecurityProviders\WDigest" or
|
|
"\microsoft\windows\currentversion\explorer\runmru" or
|
|
"\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" or
|
|
"\Microsoft\Windows\CurrentVersion\Uninstall" or
|
|
"\Microsoft\Windows\WindowsUpdate" or
|
|
"Policies\Microsoft\Windows\Installer" or
|
|
"Software\Microsoft\Windows\CurrentVersion\Policies" or
|
|
("\Services\SharedAccess\Parameters\FirewallPolicy" and "EnableFirewall") or
|
|
("Microsoft\Windows\CurrentVersion\Internet Settings" and "proxyEnable")
|
|
)
|
|
) or
|
|
(
|
|
("Directoryservices.Activedirectory" or
|
|
"DirectoryServices.AccountManagement") and
|
|
(
|
|
"Domain Admins" or "DomainControllers" or
|
|
"FindAllGlobalCatalogs" or "GetAllTrustRelationships" or
|
|
"GetCurrentDomain" or "GetCurrentForest"
|
|
) or
|
|
"DirectoryServices.DirectorySearcher" and
|
|
(
|
|
"samAccountType=805306368" or
|
|
"samAccountType=805306369" or
|
|
"objectCategory=group" or
|
|
"objectCategory=groupPolicyContainer" or
|
|
"objectCategory=site" or
|
|
"objectCategory=subnet" or
|
|
"objectClass=trustedDomain"
|
|
)
|
|
) or
|
|
(
|
|
"Get-Process" and
|
|
(
|
|
"mcshield" or "windefend" or "savservice" or
|
|
"TMCCSF" or "symantec antivirus" or
|
|
"CSFalcon" or "TmPfw" or "kvoop"
|
|
)
|
|
)
|
|
) and
|
|
not user.id : ("S-1-5-18" or "S-1-5-19" or "S-1-5-20") and
|
|
not file.path : (
|
|
?\:\\\\Program?Files\\\\WindowsPowerShell\\\\Modules\\\\*.psd1 or
|
|
?\:\\\\Program?Files\\\\WindowsPowerShell\\\\Modules\\\\*.psm1 or
|
|
?\:\\\\Program?Files\\\\Microsoft?Azure?AD?Sync\\\\Extensions\\\\AADConnector.psm1* or
|
|
*ServiceNow?MID?Server*agent\\\\scripts\\\\PowerShell\\\\*.psm1 or
|
|
?\:\\\\*\\\\IMECache\\\\HealthScripts\\\\*\\\\detect.ps1
|
|
) and
|
|
not (
|
|
file.path : (
|
|
?\:\\\\*\\\\TEMP\\\\SDIAG* or
|
|
?\:\\\\TEMP\\\\SDIAG* or
|
|
?\:\\\\Temp\\\\SDIAG* or
|
|
?\:\\\\temp\\\\SDIAG* or
|
|
?\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\SDIAG* or
|
|
?\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*\\\\SDIAG*
|
|
) and file.name : "CL_Utility.ps1"
|
|
)
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
|
|
[[rule.threat.technique]]
|
|
id = "T1087"
|
|
name = "Account Discovery"
|
|
reference = "https://attack.mitre.org/techniques/T1087/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1087.001"
|
|
name = "Local Account"
|
|
reference = "https://attack.mitre.org/techniques/T1087/001/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1087.002"
|
|
name = "Domain Account"
|
|
reference = "https://attack.mitre.org/techniques/T1087/002/"
|
|
|
|
|
|
[[rule.threat.technique]]
|
|
id = "T1482"
|
|
name = "Domain Trust Discovery"
|
|
reference = "https://attack.mitre.org/techniques/T1482/"
|
|
|
|
[[rule.threat.technique]]
|
|
id = "T1082"
|
|
name = "System Information Discovery"
|
|
reference = "https://attack.mitre.org/techniques/T1082/"
|
|
|
|
[[rule.threat.technique]]
|
|
id = "T1083"
|
|
name = "File and Directory Discovery"
|
|
reference = "https://attack.mitre.org/techniques/T1083/"
|
|
|
|
[[rule.threat.technique]]
|
|
id = "T1615"
|
|
name = "Group Policy Discovery"
|
|
reference = "https://attack.mitre.org/techniques/T1615/"
|
|
|
|
[[rule.threat.technique]]
|
|
id = "T1135"
|
|
name = "Network Share Discovery"
|
|
reference = "https://attack.mitre.org/techniques/T1135/"
|
|
|
|
[[rule.threat.technique]]
|
|
id = "T1201"
|
|
name = "Password Policy Discovery"
|
|
reference = "https://attack.mitre.org/techniques/T1201/"
|
|
|
|
[[rule.threat.technique]]
|
|
id = "T1057"
|
|
name = "Process Discovery"
|
|
reference = "https://attack.mitre.org/techniques/T1057/"
|
|
|
|
[[rule.threat.technique]]
|
|
id = "T1518"
|
|
name = "Software Discovery"
|
|
reference = "https://attack.mitre.org/techniques/T1518/"
|
|
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1518.001"
|
|
name = "Security Software Discovery"
|
|
reference = "https://attack.mitre.org/techniques/T1518/001/"
|
|
|
|
[[rule.threat.technique]]
|
|
id = "T1012"
|
|
name = "Query Registry"
|
|
reference = "https://attack.mitre.org/techniques/T1012/"
|
|
|
|
[[rule.threat.technique]]
|
|
id = "T1082"
|
|
name = "System Information Discovery"
|
|
reference = "https://attack.mitre.org/techniques/T1082/"
|
|
|
|
[[rule.threat.technique]]
|
|
id = "T1049"
|
|
name = "System Network Connections Discovery"
|
|
reference = "https://attack.mitre.org/techniques/T1049/"
|
|
|
|
[[rule.threat.technique]]
|
|
id = "T1007"
|
|
name = "System Service Discovery"
|
|
reference = "https://attack.mitre.org/techniques/T1007/"
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0007"
|
|
name = "Discovery"
|
|
reference = "https://attack.mitre.org/tactics/TA0007/"
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1059"
|
|
name = "Command and Scripting Interpreter"
|
|
reference = "https://attack.mitre.org/techniques/T1059/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1059.001"
|
|
name = "PowerShell"
|
|
reference = "https://attack.mitre.org/techniques/T1059/001/"
|
|
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0002"
|
|
name = "Execution"
|
|
reference = "https://attack.mitre.org/tactics/TA0002/"
|
|
|