Jonhnathan
ac01718bb6
* [Rule Tuning] Add tags to flag Sysmon-only rules * Modify tags * Revert "Modify tags" This reverts commit 3d9267d171a41f727bb499501d71d5c4db4f0434. * Modify tags * Update test_all_rules.py * Update test_all_rules.py * Update test_all_rules.py * Update test_all_rules.py * Update test_all_rules.py
116 lines
6.7 KiB
TOML
116 lines
6.7 KiB
TOML
[metadata]
|
|
creation_date = "2020/03/19"
|
|
maturity = "production"
|
|
updated_date = "2022/11/04"
|
|
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
|
min_stack_version = "8.3.0"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or
|
|
malware, from a remote URL.
|
|
"""
|
|
from = "now-9m"
|
|
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
|
|
language = "eql"
|
|
license = "Elastic License v2"
|
|
name = "Network Connection via Certutil"
|
|
note = """## Triage and analysis
|
|
|
|
### Investigating Network Connection via Certutil
|
|
|
|
Attackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources
|
|
in order to take the next steps in a compromised environment.
|
|
|
|
This rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in
|
|
[IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)
|
|
|
|
> **Note**:
|
|
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic stack version 8.5.0. Older Elastic stacks versions will see unrendered markdown in this guide.
|
|
|
|
#### Possible investigation steps
|
|
|
|
- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for
|
|
prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
|
|
- Investigate other alerts associated with the user/host during the past 48 hours.
|
|
- Investigate if the downloaded file was executed.
|
|
- Determine the context in which `certutil.exe` and the file were run.
|
|
- Examine the host for derived artifacts that indicates suspicious activities:
|
|
- Analyze the downloaded file using a private sandboxed analysis system.
|
|
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
|
|
- Attempts to contact external domains and addresses.
|
|
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by
|
|
filtering by the process' `process.entity_id`.
|
|
- Examine the DNS cache for suspicious or anomalous entries.
|
|
- !{osquery{"query":"SELECT * FROM dns_cache", "label":"Osquery - Retrieve DNS Cache"}}
|
|
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related
|
|
processes in the process tree.
|
|
- Examine the host services for suspicious or anomalous entries.
|
|
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services","label":"Osquery - Retrieve All Services"}}
|
|
- !{osquery{"query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE \"%LocalSystem\" OR user_account LIKE \"%LocalService\" OR user_account LIKE \"%NetworkService\" OR user_account == null)","label":"Osquery - Retrieve Services Running on User Accounts"}}
|
|
- !{osquery{"query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != \"trusted\"","label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link"}}
|
|
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and
|
|
reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
|
|
|
### False positive analysis
|
|
|
|
- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified
|
|
anything suspicious, this alert can be closed as a false positive.
|
|
- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination
|
|
of user and command line conditions.
|
|
|
|
### Response and remediation
|
|
|
|
- Initiate the incident response process based on the outcome of the triage.
|
|
- Isolate the involved host to prevent further post-compromise behavior.
|
|
- If the triage identified malware, search the environment for additional compromised hosts.
|
|
- Implement temporary network rules, procedures, and segmentation to contain the malware.
|
|
- Stop suspicious processes.
|
|
- Immediately block the identified indicators of compromise (IoCs).
|
|
- Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
|
|
attackers could use to reinfect the system.
|
|
- Remove and block malicious artifacts identified during triage.
|
|
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
|
|
malware components.
|
|
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
|
|
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
|
|
mean time to respond (MTTR).
|
|
"""
|
|
references = [
|
|
"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml",
|
|
"https://frsecure.com/malware-incident-response-playbook/",
|
|
]
|
|
risk_score = 21
|
|
rule_id = "3838e0e3-1850-4850-a411-2e8c5ba40ba8"
|
|
severity = "low"
|
|
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide"]
|
|
type = "eql"
|
|
|
|
query = '''
|
|
sequence by process.entity_id
|
|
[process where process.name : "certutil.exe" and event.type == "start"]
|
|
[network where process.name : "certutil.exe" and
|
|
not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24",
|
|
"192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32",
|
|
"192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24",
|
|
"192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24",
|
|
"198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1",
|
|
"FE80::/10", "FF00::/8")]
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1105"
|
|
name = "Ingress Tool Transfer"
|
|
reference = "https://attack.mitre.org/techniques/T1105/"
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0011"
|
|
name = "Command and Control"
|
|
reference = "https://attack.mitre.org/tactics/TA0011/"
|
|
|