Jonhnathan
290763d9bb
* [Security Content] Add Investigation Guides - 4 * Apply suggestions from code review Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/windows/initial_access_script_executing_powershell.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * lint * Update persistence_user_account_creation.toml * Apply suggestions from code review Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: benironside <91905639+benironside@users.noreply.github.com> Co-authored-by: Joe Peeples <joe.peeples@elastic.co> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * . * Fixes and lint * . * . * revert modifications * Apply suggestions from code review Co-authored-by: Joe Peeples <joe.peeples@elastic.co> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update impact_stop_process_service_threshold.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: benironside <91905639+benironside@users.noreply.github.com> Co-authored-by: Joe Peeples <joe.peeples@elastic.co> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
104 lines
4.1 KiB
TOML
104 lines
4.1 KiB
TOML
[metadata]
|
|
creation_date = "2020/11/18"
|
|
maturity = "production"
|
|
updated_date = "2022/03/31"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Identifies script engines creating files in the Startup folder, or the creation of script files in the Startup folder.
|
|
Adversaries may abuse this technique to maintain persistence in an environment.
|
|
"""
|
|
from = "now-9m"
|
|
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
|
|
language = "eql"
|
|
license = "Elastic License v2"
|
|
name = "Persistent Scripts in the Startup Directory"
|
|
note = """## Triage and analysis
|
|
|
|
### Investigating Persistent Scripts in the Startup Directory
|
|
|
|
The Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account
|
|
logon, without user interaction, providing an excellent way for attackers to maintain persistence.
|
|
|
|
This rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.
|
|
|
|
#### Possible investigation steps
|
|
|
|
- Investigate the process execution chain (parent process tree).
|
|
- Investigate other alerts related to the user/host in the last 48 hours.
|
|
- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate
|
|
software installations.
|
|
- Determine if activity is unique by validating if other machines in the organization have similar entries.
|
|
- Retrieve the script file:
|
|
- Use a sandboxed malware analysis system to perform analysis.
|
|
- Observe attempts to contact external domains and addresses.
|
|
- Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file.
|
|
- Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
|
|
|
|
### False positive analysis
|
|
|
|
- There is a low possibility of benign legitimate scripts being added to Startup folders. Validate whether this activity
|
|
is benign.
|
|
|
|
|
|
### Related rules
|
|
|
|
- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff
|
|
- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f
|
|
|
|
### Response and remediation
|
|
|
|
- Initiate the incident response process based on the outcome of the triage.
|
|
- Isolate the involved host to prevent further post-compromise behavior.
|
|
- If the triage identified malware, search the environment for additional compromised hosts.
|
|
- Implement any temporary network rules, procedures, and segmentation required to contain the malware.
|
|
- Immediately block the identified indicators of compromise (IoCs).
|
|
- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
|
|
|
|
## Config
|
|
|
|
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
|
|
"""
|
|
risk_score = 47
|
|
rule_id = "f7c4dc5a-a58d-491d-9f14-9b66507121c0"
|
|
severity = "medium"
|
|
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"]
|
|
timestamp_override = "event.ingested"
|
|
type = "eql"
|
|
|
|
query = '''
|
|
file where event.type != "deletion" and user.domain != "NT AUTHORITY" and
|
|
|
|
/* detect shortcuts created by wscript.exe or cscript.exe */
|
|
(file.path : "C:\\*\\Programs\\Startup\\*.lnk" and
|
|
process.name : ("wscript.exe", "cscript.exe")) or
|
|
|
|
/* detect vbs or js files created by any process */
|
|
file.path : ("C:\\*\\Programs\\Startup\\*.vbs",
|
|
"C:\\*\\Programs\\Startup\\*.vbe",
|
|
"C:\\*\\Programs\\Startup\\*.wsh",
|
|
"C:\\*\\Programs\\Startup\\*.wsf",
|
|
"C:\\*\\Programs\\Startup\\*.js")
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1547"
|
|
name = "Boot or Logon Autostart Execution"
|
|
reference = "https://attack.mitre.org/techniques/T1547/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1547.001"
|
|
name = "Registry Run Keys / Startup Folder"
|
|
reference = "https://attack.mitre.org/techniques/T1547/001/"
|
|
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0003"
|
|
name = "Persistence"
|
|
reference = "https://attack.mitre.org/tactics/TA0003/"
|
|
|