security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
724e34ba95ffb48d13e18a91c547800986164572
sigma-rules/rules_building_block/persistence_netsh_helper_dll.toml
T
Jonhnathan 3614f42b00 [New Rule] New BBR Rules - Part 5 (#3052) 
* [New Rule] New BBR Rules - Part 5

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Tag work

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
2023-09-05 18:36:34 -03:00

69 lines
1.9 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2023/08/29"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/29"
bypass_bbr_timing = true
[rule]
author = ["Elastic"]
description = """
Identifies the addition of a Netsh Helper DLL, netsh.exe supports the addition of these DLLs to extend its functionality.
Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed, which can be done
by administrators or a scheduled task.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Netsh Helper DLL"
risk_score = 21
rule_id = "b0638186-4f12-48ac-83d2-47e686d08e82"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"]
timestamp_override = "event.ingested"
building_block_type = "default"
type = "eql"
query = '''
registry where event.type == "change" and
registry.path : (
"HKLM\\Software\\Microsoft\\netsh\\*",
"\\REGISTRY\\MACHINE\\Software\\Microsoft\\netsh\\*"
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1546"
name = "Event Triggered Execution"
reference = "https://attack.mitre.org/techniques/T1546/"
[[rule.threat.technique.subtechnique]]
id = "T1546.007"
name = "Netsh Helper DLL"
reference = "https://attack.mitre.org/techniques/T1546/007/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1112"
name = "Modify Registry"
reference = "https://attack.mitre.org/techniques/T1112/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
Reference in New Issue View Git Blame Copy Permalink