security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
db54ea7467a6750fe2b59fc48375cf14ab3ca2cd
sigma-rules/rules/windows/persistence_priv_escalation_via_accessibility_features.toml
T
Justin Ibarra 3fc34b86f2 Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00

94 lines
2.6 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/02/18"
maturity = "production"
updated_date = "2021/03/03"
[rule]
author = ["Elastic"]
description = """
Windows contains accessibility features that may be launched with a key combination before a user has logged in. An
adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the
system.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Modification of Accessibility Binaries"
references = ["https://www.elastic.co/blog/practical-security-engineering-stateful-detection"]
risk_score = 73
rule_id = "7405ddf1-6c8e-41ce-818f-48bea6bcaed8"
severity = "high"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where event.type in ("start", "process_started", "info") and
process.parent.name : ("Utilman.exe", "winlogon.exe") and user.name == "SYSTEM" and
process.args :
(
"C:\\Windows\\System32\\osk.exe",
"C:\\Windows\\System32\\Magnify.exe",
"C:\\Windows\\System32\\Narrator.exe",
"C:\\Windows\\System32\\Sethc.exe",
"utilman.exe",
"ATBroker.exe",
"DisplaySwitch.exe",
"sethc.exe"
)
and not process.pe.original_file_name in
(
"osk.exe",
"sethc.exe",
"utilman2.exe",
"DisplaySwitch.exe",
"ATBroker.exe",
"ScreenMagnifier.exe",
"SR.exe",
"Narrator.exe",
"magnify.exe",
"MAGNIFY.EXE"
)
/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */
/* and process.code_signature.subject_name == "Microsoft Windows" and process.code_signature.status == "trusted" */
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1546"
name = "Event Triggered Execution"
reference = "https://attack.mitre.org/techniques/T1546/"
[[rule.threat.technique.subtechnique]]
id = "T1546.008"
name = "Accessibility Features"
reference = "https://attack.mitre.org/techniques/T1546/008/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1546"
name = "Event Triggered Execution"
reference = "https://attack.mitre.org/techniques/T1546/"
[[rule.threat.technique.subtechnique]]
id = "T1546.008"
name = "Accessibility Features"
reference = "https://attack.mitre.org/techniques/T1546/008/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
Reference in New Issue View Git Blame Copy Permalink