security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8e240f9e793d7c24942e4bbe9c8bfceca8d03136
sigma-rules/rules/windows/lateral_movement_remote_task_creation_winlog.toml
T
Samirbous 4609a5e8fe [New Rule] Scheduled Task Creation using winlog (#2277) 
* [New Rule] Scheduled Task Creation using winlog

https://github.com/elastic/detection-rules/issues/2164 (T1053.005 - Scheduled Task)

- A scheduled task was created
- A scheduled task was updated
- Temp scheduled task (creation followed by deletion, rare and can be sign of proxy execution via schedule service)

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* toml-lint

* remote task

* Update non-ecs-schema.json

* waaaaaaaaaaaaaa

* Update persistence_scheduled_task_updated.toml

* Update persistence_scheduled_task_creation_winlog.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update lateral_movement_remote_task_creation_winlog.toml

* event.ingested

* Update lateral_movement_remote_task_creation_winlog.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update rules/windows/lateral_movement_remote_task_creation_winlog.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
2022-09-19 18:50:45 +02:00

108 lines
4.3 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2022/08/29"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/08/29"
[rule]
author = ["Elastic"]
description = """
Identifies a remote logon followed by a scheduled task creation on the target host. This could be indicative of
adversary lateral movement.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.*"]
language = "eql"
license = "Elastic License v2"
name = "Remote Logon followed by Scheduled Task Creation"
note = """## Triage and analysis
### Investigating Remote Scheduled Task Creation
[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism
for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at
the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the
first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to
benign behavior such as software installation or any kind of network administrator work. One objective for these alerts
is to understand the configured action within the scheduled task. This is captured within the registry event data for
this rule and can be base64 decoded to view the value.
#### Possible investigation steps
- Review the TaskContent value to investigate the task configured action.
- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software
installations.
- Further examination should include review of host-based artifacts and network logs from around when the scheduled task
was created, on both the source and target machines.
### False positive analysis
- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature
within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to
further understand the source of the activity and determine the intent based on the scheduled task's contents.
### Related rules
- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc
- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650
- Remote Scheduled Task Creation - 954ee7c8-5437-49ae-b2d6-2960883898e9
### Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved host to prevent further post-compromise behavior.
- Remove scheduled task and any other related artifacts.
- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further
restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.
"""
risk_score = 47
rule_id = "9c865691-5599-447a-bac9-b3f2df5f9a9d"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"]
type = "eql"
query = '''
/* Network Logon followed by Scheduled Task creation */
sequence by host.id with maxspan=1m
[authentication where event.action == "logged-in" and
winlog.logon.type == "Network" and event.outcome == "success" and
not user.name == "ANONYMOUS LOGON" and not winlog.event_data.SubjectUserName : "*$" and
not user.domain == "NT AUTHORITY" and source.ip != "127.0.0.1" and source.ip !="::1"] by winlog.event_data.TargetLogonId
[iam where event.action == "scheduled-task-created"] by winlog.event_data.SubjectLogonId
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1021"
name = "Remote Services"
reference = "https://attack.mitre.org/techniques/T1021/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1053"
name = "Scheduled Task/Job"
reference = "https://attack.mitre.org/techniques/T1053/"
[[rule.threat.technique.subtechnique]]
id = "T1053.005"
name = "Scheduled Task"
reference = "https://attack.mitre.org/techniques/T1053/005/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
Reference in New Issue View Git Blame Copy Permalink