Skip to content

[Rule Tuning] Mimikatz powershell module activity detected #1297

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
brokensound77 merged 33 commits into from
Jul 21, 2021
Merged

[Rule Tuning] Mimikatz powershell module activity detected #1297

brokensound77 merged 33 commits into from
Jul 21, 2021

Conversation

@austinsonger
Copy link
Contributor

@austinsonger austinsonger commented Jun 17, 2021
edited
Loading

Issues

Summary

So that this rule only had logs-endpoint.events.* so I added the following:

index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]

This could of been done on purpose. But I'm assuming that it was done by mistake.

Contributor checklist

austinsonger and others added 26 commits April 20, 2021 12:47
@austinsonger
Update impact_iam_deactivate_mfa_device.toml
13b7a2c 
elastic#1111
@austinsonger
Update impact_iam_deactivate_mfa_device.toml
da7d230
@austinsonger
Update discovery_post_exploitation_external_ip_lookup.toml
b57fd60 
        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"
@austinsonger
Merge branch 'main' into main
b0bddce
@austinsonger
Merge branch 'main' into main
178baaf
@austinsonger @bm11100
Update rules/aws/impact_iam_deactivate_mfa_device.toml
475a132 
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
@austinsonger
Revert "Update discovery_post_exploitation_external_ip_lookup.toml"
ef40cc2 
This reverts commit b57fd60.
@austinsonger
Merge pull request #1 from elastic/main
3c9fed2 
[Rule Tuning] AWS IAM Deactivation of MFA Device (elastic#1132)
@austinsonger
Merge pull request #2 from elastic/main
76344b7 
[New Rule] Threat intel indicator match rule (elastic#1133)
@austinsonger
Merge pull request #3 from elastic/main
1f4723e 
Catching Up
@austinsonger
Merge pull request #4 from elastic/main
e60c7fe 
Update
@austinsonger
Merge branch 'elastic:main' into main
71b7597
@austinsonger
Merge branch 'elastic:main' into main
80d1035
@austinsonger
Merge branch 'elastic:main' into main
bdf860d
@austinsonger
Merge branch 'elastic:main' into main
d5dda87
@austinsonger
Update
6833d0b
@austinsonger
New Rule: Okta User Attempted Unauthorized Access
006e02e
@austinsonger
Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
1297aac
@austinsonger
Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
7d6357a
@austinsonger
Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml
72ffc88
@austinsonger
Create persistence_new-or-modified-federation-domain.toml
037d240
@austinsonger
Delete persistence_new-or-modified-federation-domain.toml
5bb487b
@austinsonger
Merge branch 'elastic:main' into main
0be9c10
@austinsonger
Merge branch 'elastic:main' into main
deb69c5
@austinsonger
Merge branch 'elastic:main' into main
171867b
@austinsonger
Update credential_access_mimikatz_powershell_module.toml
1e2796c
rw-access
rw-access reviewed Jun 21, 2021
View reviewed changes
@austinsonger @rw-access
Update rules/windows/credential_access_mimikatz_powershell_module.toml
e6174b4 
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
austinsonger and others added 2 commits June 21, 2021 09:20
@austinsonger @rw-access
Update rules/windows/credential_access_mimikatz_powershell_module.toml
f23ff74 
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
@austinsonger @rw-access
Update .gitignore
3ee2d14 
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
@brokensound77 brokensound77 added Rule: Tuning tweaking or tuning an existing rule community labels Jun 22, 2021
brokensound77
brokensound77 reviewed Jun 22, 2021
View reviewed changes
Copy link
Contributor

@brokensound77 brokensound77 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we are changing this, can you update the query to be case insensitive on the process name

-process.name in ("cmd.exe", "powershell.exe")
+process.name : ("cmd.exe", "powershell.exe")

And bump updated_date, please

@bm11100
Copy link
Contributor

bm11100 commented Jun 22, 2021

Since we are changing this, can you update the query to be case insensitive on the process name

-process.name in ("cmd.exe", "powershell.exe")
+process.name : ("cmd.exe", "powershell.exe")

And bump updated_date, please

Could also add pwsh.exe to the process names as well.

@brokensound77 brokensound77 merged commit 95e6458 into elastic:main Jul 21, 2021
protectionsmachine pushed a commit that referenced this pull request Jul 21, 2021
@austinsonger @github-actions
[Rule Tuning] Mimikatz powershell module activity detected (#1297)
34b37c0 
* update query
* add indexes

(cherry picked from commit 95e6458)
protectionsmachine pushed a commit that referenced this pull request Jul 21, 2021
@austinsonger @github-actions
[Rule Tuning] Mimikatz powershell module activity detected (#1297)
bc82e21 
* update query
* add indexes

(cherry picked from commit 95e6458)
@austinsonger austinsonger deleted the Mimikatz-Powershell-Module-Activity-Detected branch July 22, 2021 18:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@rw-access rw-access rw-access left review comments

@brokensound77 brokensound77 brokensound77 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backport: auto community Rule: Tuning tweaking or tuning an existing rule

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@austinsonger @bm11100 @brokensound77 @rw-access