security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dbfdb7f804ca01a4bc6f4e4318a2fda4fe37f134
sigma-rules/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml
T
shashank-elastic 18fcd83683 Back-porting Version Trimming (#3704) 
(cherry picked from commit 63e91c2f12)
2024-05-22 19:18:10 +00:00

77 lines
2.3 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2021/03/22"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
description = """
Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be
indicative of adversary lateral movement preparation by making the added pipe available to everyone.
"""
from = "now-9m"
index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"]
language = "eql"
license = "Elastic License v2"
name = "NullSessionPipe Registry Modification"
references = [
"https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/",
"https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares",
]
risk_score = 47
rule_id = "ddab1f5f-7089-44f5-9fda-de5b11322e77"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Lateral Movement",
"Tactic: Defense Evasion",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
registry where host.os.type == "windows" and event.type in ("creation", "change") and
registry.path : (
"HKLM\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes",
"\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\services\\LanmanServer\\Parameters\\NullSessionPipes"
) and length(registry.data.strings) > 0
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1021"
name = "Remote Services"
reference = "https://attack.mitre.org/techniques/T1021/"
[[rule.threat.technique.subtechnique]]
id = "T1021.002"
name = "SMB/Windows Admin Shares"
reference = "https://attack.mitre.org/techniques/T1021/002/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1112"
name = "Modify Registry"
reference = "https://attack.mitre.org/techniques/T1112/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
Reference in New Issue View Git Blame Copy Permalink