From ff5bad9b4d9fc4a862d3c4cc6831b781b46c6ef3 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Wed, 12 Aug 2020 19:33:50 +0200 Subject: [PATCH 01/11] tunning of 3 existing rules added not to accessibility rule added whoami to system identity running discovery utility added regasm.exe to registration utility performing ntcon --- rules/windows/discovery_net_command_system_account.toml | 5 ++--- ...n_register_server_program_connecting_to_the_internet.toml | 4 ++-- ...rsistence_priv_escalation_via_accessibility_features.toml | 2 +- 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/rules/windows/discovery_net_command_system_account.toml b/rules/windows/discovery_net_command_system_account.toml index dee53f54472..7dd0f6a1e42 100644 --- a/rules/windows/discovery_net_command_system_account.toml +++ b/rules/windows/discovery_net_command_system_account.toml @@ -7,8 +7,7 @@ updated_date = "2020/08/03" [rule] author = ["Elastic"] description = """ -Identifies the SYSTEM account using the Net utility. The Net utility is a component of the Windows operating system. It -is used in command line operations for control of users, groups, services, and network connections. +Identifies the SYSTEM account using an account discovery utility. This could be a sign of discovery post successful privileges elevation. """ index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" @@ -22,7 +21,7 @@ type = "query" query = ''' event.category:process and event.type:(start or process_started) and - (process.name:net.exe or process.name:net1.exe and not process.parent.name:net.exe) and + (process.name:whoami.exe or process.name:net.exe or process.name:net1.exe and not process.parent.name:net.exe) and user.name:SYSTEM ''' diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index 606e297a50b..4350880d7fa 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -7,7 +7,7 @@ updated_date = "2020/08/03" [rule] author = ["Elastic"] description = """ -Identifies the native Windows tools regsvr32.exe and regsvr64.exe making a network connection. This may be indicative of +Identifies the native Windows tools regsvr32.exe regsvr64.exe or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary. """ false_positives = [ @@ -28,7 +28,7 @@ type = "query" query = ''' event.category:network and event.type:connection and - process.name:(regsvr32.exe or regsvr64.exe) and + process.name:(regsvr32.exe or regsvr64.exe or RegAsm.exe) and not destination.ip:(10.0.0.0/8 or 169.254.169.254 or 172.16.0.0/12 or 192.168.0.0/16) ''' diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index 1979915c1a3..32b4a392989 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -22,7 +22,7 @@ tags = ["Elastic", "Windows"] type = "query" query = ''' -event.code:1 and process.parent.name:winlogon.exe and process.name:(atbroker.exe or displayswitch.exe or magnify.exe or narrator.exe or osk.exe or sethc.exe or utilman.exe) +event.code:1 and process.parent.name:winlogon.exe and not process.name:(atbroker.exe or displayswitch.exe or magnify.exe or narrator.exe or osk.exe or sethc.exe or utilman.exe) ''' From af4c339df059639e724f4fc2f773dd5f476e9a52 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Wed, 12 Aug 2020 21:26:52 +0200 Subject: [PATCH 02/11] Update rules/windows/discovery_net_command_system_account.toml Co-authored-by: Justin Ibarra --- rules/windows/discovery_net_command_system_account.toml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/discovery_net_command_system_account.toml b/rules/windows/discovery_net_command_system_account.toml index 7dd0f6a1e42..5065e98d525 100644 --- a/rules/windows/discovery_net_command_system_account.toml +++ b/rules/windows/discovery_net_command_system_account.toml @@ -21,7 +21,7 @@ type = "query" query = ''' event.category:process and event.type:(start or process_started) and - (process.name:whoami.exe or process.name:net.exe or process.name:net1.exe and not process.parent.name:net.exe) and + (process.name:(whoami.exe or net.exe) or process.name:net1.exe and not process.parent.name:net.exe) and user.name:SYSTEM ''' @@ -38,4 +38,3 @@ reference = "https://attack.mitre.org/techniques/T1087/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - From 6c3bfcbc6b59b04332387e102b598222921d0af7 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Wed, 12 Aug 2020 22:30:27 +0200 Subject: [PATCH 03/11] Update rules/windows/execution_register_server_program_connecting_to_the_internet.toml Co-authored-by: Justin Ibarra --- ...ion_register_server_program_connecting_to_the_internet.toml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index 4350880d7fa..f5f9e4eeb90 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -7,7 +7,7 @@ updated_date = "2020/08/03" [rule] author = ["Elastic"] description = """ -Identifies the native Windows tools regsvr32.exe regsvr64.exe or RegAsm.exe making a network connection. This may be indicative of +Identifies the native Windows tools regsvr32.exe, regsvr64.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary. """ false_positives = [ @@ -57,4 +57,3 @@ reference = "https://attack.mitre.org/techniques/T1117/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - From 27fbaa4f324dc8c758380f25e7198bc321e32fd5 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Wed, 12 Aug 2020 23:32:57 +0200 Subject: [PATCH 04/11] Update execution_register_server_program_connecting_to_the_internet.toml --- ...egister_server_program_connecting_to_the_internet.toml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index f5f9e4eeb90..eaa56434a33 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -28,7 +28,7 @@ type = "query" query = ''' event.category:network and event.type:connection and - process.name:(regsvr32.exe or regsvr64.exe or RegAsm.exe) and + process.name:(regsvr32.exe or regsvr64.exe or RegAsm.exe or RegSvcs.exe) and not destination.ip:(10.0.0.0/8 or 169.254.169.254 or 172.16.0.0/12 or 192.168.0.0/16) ''' @@ -48,9 +48,9 @@ reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1117" -name = "Regsvr32" -reference = "https://attack.mitre.org/techniques/T1117/" +id = "T1218" +name = "Signed Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" [rule.threat.tactic] From 5f70cc25cb6b6a001bc1219646d19305967f2d06 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Wed, 12 Aug 2020 23:33:45 +0200 Subject: [PATCH 05/11] Update execution_register_server_program_connecting_to_the_internet.toml --- ...tion_register_server_program_connecting_to_the_internet.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index eaa56434a33..3c6b73ce8b4 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -7,7 +7,7 @@ updated_date = "2020/08/03" [rule] author = ["Elastic"] description = """ -Identifies the native Windows tools regsvr32.exe, regsvr64.exe, or RegAsm.exe making a network connection. This may be indicative of +Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary. """ false_positives = [ From 77dfd9fa9d535a0c925afbf784359a59c094d1f8 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Wed, 12 Aug 2020 23:39:35 +0200 Subject: [PATCH 06/11] Update execution_register_server_program_connecting_to_the_internet.toml --- ...tion_register_server_program_connecting_to_the_internet.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index 3c6b73ce8b4..b31a5b2352b 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -19,7 +19,7 @@ false_positives = [ index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" -name = "Network Connection via Regsvr" +name = "Network Connection via Registration Utility" risk_score = 21 rule_id = "fb02b8d3-71ee-4af1-bacd-215d23f17efa" severity = "low" From 3197500a1211b8101fe0e75c926fe37df13dab57 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Wed, 12 Aug 2020 23:40:36 +0200 Subject: [PATCH 07/11] Update execution_register_server_program_connecting_to_the_internet.toml --- ...tion_register_server_program_connecting_to_the_internet.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index b31a5b2352b..0d902ae3350 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/08/12" [rule] author = ["Elastic"] From 417df921af0b5268ef8519ed90df57b0f7301465 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Thu, 13 Aug 2020 09:51:35 +0200 Subject: [PATCH 08/11] Update persistence_priv_escalation_via_accessibility_features.toml --- .../persistence_priv_escalation_via_accessibility_features.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index 32b4a392989..ceb6dd5778e 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.4.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/08/12" [rule] author = ["Elastic"] From 215a0fa767d4a5e20c4369c4439b0c2e3a988ffa Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Thu, 13 Aug 2020 09:52:41 +0200 Subject: [PATCH 09/11] Update discovery_net_command_system_account.toml --- rules/windows/discovery_net_command_system_account.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/discovery_net_command_system_account.toml b/rules/windows/discovery_net_command_system_account.toml index 5065e98d525..f45473a760e 100644 --- a/rules/windows/discovery_net_command_system_account.toml +++ b/rules/windows/discovery_net_command_system_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/08/12" [rule] author = ["Elastic"] From 45f9a0cad6b38dc7f3661cb8fe0473be8f4b3652 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Fri, 4 Sep 2020 09:40:56 +0200 Subject: [PATCH 10/11] Update rules/windows/execution_register_server_program_connecting_to_the_internet.toml Co-authored-by: Justin Ibarra --- ...tion_register_server_program_connecting_to_the_internet.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index 17407a89f17..0080a837353 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -7,7 +7,7 @@ updated_date = "2020/08/12" [rule] author = ["Elastic"] description = """ -Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe or RegAsm.exe making a network connection. This may be indicative of +Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary. """ false_positives = [ From 253c02b73ee074bcfafc2e7f9bfda967f30a0875 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Fri, 4 Sep 2020 09:41:28 +0200 Subject: [PATCH 11/11] Update rules/windows/discovery_net_command_system_account.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> --- rules/windows/discovery_net_command_system_account.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/discovery_net_command_system_account.toml b/rules/windows/discovery_net_command_system_account.toml index 8f1e0bbbdd9..c8afde2d62f 100644 --- a/rules/windows/discovery_net_command_system_account.toml +++ b/rules/windows/discovery_net_command_system_account.toml @@ -7,7 +7,7 @@ updated_date = "2020/08/12" [rule] author = ["Elastic"] description = """ -Identifies the SYSTEM account using an account discovery utility. This could be a sign of discovery post successful privileges elevation. +Identifies the SYSTEM account using an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"]