-
Notifications
You must be signed in to change notification settings - Fork 514
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[New Rules] [BBR] Windows Deprecated ERs Conversion - 3 (#3143)
* [New Rules] [BBR] Windows Deprecated ERs Conversion - 3 * Update defense_evasion_invalid_codesign_imageload.toml * Update defense_evasion_invalid_codesign_imageload.toml * Update rules_building_block/initial_access_execution_remote_via_msiexec.toml Co-authored-by: Ruben Groenewoud <[email protected]> * Update rules_building_block/initial_access_xsl_script_execution_via_com.toml Co-authored-by: Isai <[email protected]> * Update rules_building_block/initial_access_execution_remote_via_msiexec.toml Co-authored-by: Isai <[email protected]> --------- Co-authored-by: Ruben Groenewoud <[email protected]> Co-authored-by: Isai <[email protected]>
- Loading branch information
3 people
authored
Oct 17, 2023
1 parent
3ea3e5a
commit 74222f8
Showing
4 changed files
with
272 additions
and
0 deletions.
There are no files selected for viewing
55 changes: 55 additions & 0 deletions
55
rules_building_block/defense_evasion_invalid_codesign_imageload.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| [metadata] | ||
| creation_date = "2023/09/27" | ||
| integration = ["endpoint"] | ||
| maturity = "production" | ||
| min_stack_comments = "New fields added: required_fields, related_integrations, setup" | ||
| min_stack_version = "8.3.0" | ||
| updated_date = "2023/09/27" | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| description = """ | ||
| Identifies binaries that are loaded and with an invalid code signature. This may indicate an attempt to masquerade as a | ||
| signed binary. | ||
| """ | ||
| from = "now-119m" | ||
| interval = "60m" | ||
| index = ["logs-endpoint.events.*"] | ||
| language = "eql" | ||
| license = "Elastic License v2" | ||
| name = "Image Loaded with Invalid Signature" | ||
| risk_score = 21 | ||
| rule_id = "fd9484f2-1c56-44ae-8b28-dc1354e3a0e8" | ||
| severity = "low" | ||
| tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] | ||
| timestamp_override = "event.ingested" | ||
| building_block_type = "default" | ||
| type = "eql" | ||
|
|
||
| query = ''' | ||
| library where host.os.type == "windows" and event.action == "load" and | ||
| dll.code_signature.status : ("errorUntrustedRoot", "errorBadDigest", "errorUntrustedRoot") and | ||
| (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500) and | ||
| not startswith~(dll.name, process.name) and | ||
| not dll.path : ( | ||
| "?:\\Windows\\System32\\DriverStore\\FileRepository\\*" | ||
| ) | ||
| ''' | ||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1036" | ||
| name = "Masquerading" | ||
| reference = "https://attack.mitre.org/techniques/T1036/" | ||
|
|
||
| [[rule.threat.technique.subtechnique]] | ||
| id = "T1036.001" | ||
| name = "Invalid Code Signature" | ||
| reference = "https://attack.mitre.org/techniques/T1036/001/" | ||
|
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0005" | ||
| name = "Defense Evasion" | ||
| reference = "https://attack.mitre.org/tactics/TA0005/" |
51 changes: 51 additions & 0 deletions
51
rules_building_block/initial_access_execution_from_removable_media.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| [metadata] | ||
| creation_date = "2023/09/27" | ||
| integration = ["endpoint"] | ||
| maturity = "production" | ||
| min_stack_comments = "New fields added: required_fields, related_integrations, setup" | ||
| min_stack_version = "8.3.0" | ||
| updated_date = "2023/09/27" | ||
| bypass_bbr_timing = true | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| description = """ | ||
| Identifies process execution from a removable media and by an unusual process. Adversaries may move onto systems, | ||
| possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of | ||
| Autorun features when the media is inserted into a system and executes. | ||
| """ | ||
| from = "now-9m" | ||
| index = ["logs-endpoint.events.*"] | ||
| language = "eql" | ||
| license = "Elastic License v2" | ||
| name = "Execution from a Removable Media with Network Connection" | ||
| risk_score = 21 | ||
| rule_id = "1542fa53-955e-4330-8e4d-b2d812adeb5f" | ||
| severity = "low" | ||
| tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Rule Type: BBR", "Data Source: Elastic Defend"] | ||
| building_block_type = "default" | ||
| type = "eql" | ||
|
|
||
| query = ''' | ||
| sequence by process.entity_id with maxspan=5m | ||
| [process where host.os.type == "windows" and event.action == "start" and | ||
| /* Direct Exec from USB */ | ||
| (process.Ext.device.bus_type : "usb" or process.Ext.device.product_id : "USB *") and | ||
| (process.code_signature.trusted == false or process.code_signature.exists == false) and | ||
| not process.code_signature.status : ("errorExpired", "errorCode_endpoint*")] | ||
| [network where host.os.type == "windows" and event.action == "connection_attempted"] | ||
| ''' | ||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1091" | ||
| name = "Replication Through Removable Media" | ||
| reference = "https://attack.mitre.org/techniques/T1091/" | ||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0001" | ||
| name = "Initial Access" | ||
| reference = "https://attack.mitre.org/tactics/TA0001/" |
94 changes: 94 additions & 0 deletions
94
rules_building_block/initial_access_execution_remote_via_msiexec.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,94 @@ | ||
| [metadata] | ||
| creation_date = "2023/09/28" | ||
| integration = ["endpoint"] | ||
| maturity = "production" | ||
| min_stack_comments = "New fields added: required_fields, related_integrations, setup" | ||
| min_stack_version = "8.3.0" | ||
| updated_date = "2023/09/28" | ||
| bypass_bbr_timing = true | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| description = """ | ||
| Identifies the execution of the built-in Windows Installer, msiexec.exe, to install a remote package. Adversaries may abuse | ||
| msiexec.exe to launch local or network accessible MSI files. | ||
| """ | ||
| from = "now-9m" | ||
| index = ["logs-endpoint.events.*"] | ||
| language = "eql" | ||
| license = "Elastic License v2" | ||
| name = "Potential Remote File Execution via MSIEXEC" | ||
| risk_score = 21 | ||
| rule_id = "3e441bdb-596c-44fd-8628-2cfdf4516ada" | ||
| severity = "low" | ||
| tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] | ||
| building_block_type = "default" | ||
| type = "eql" | ||
|
|
||
| query = ''' | ||
| sequence with maxspan=1m | ||
| [process where host.os.type == "windows" and event.action == "start" and | ||
| process.name : "msiexec.exe" and process.args : "/V"] by process.entity_id | ||
| [network where host.os.type == "windows" and process.name : "msiexec.exe" and | ||
| event.action == "connection_attempted"] by process.entity_id | ||
| [process where host.os.type == "windows" and event.action == "start" and | ||
| process.parent.name : "msiexec.exe" and user.id : ("S-1-5-21-*", "S-1-5-12-1-*") and | ||
| not process.executable : ("?:\\Windows\\SysWOW64\\msiexec.exe", | ||
| "?:\\Windows\\System32\\msiexec.exe", | ||
| "?:\\Windows\\System32\\srtasks.exe", | ||
| "?:\\Windows\\SysWOW64\\srtasks.exe", | ||
| "?:\\Windows\\System32\\taskkill.exe", | ||
| "?:\\Windows\\Installer\\MSI*.tmp", | ||
| "?:\\Program Files\\*.exe", | ||
| "?:\\Program Files (x86)\\*.exe", | ||
| "?:\\Windows\\System32\\ie4uinit.exe", | ||
| "?:\\Windows\\SysWOW64\\ie4uinit.exe", | ||
| "?:\\Windows\\System32\\sc.exe", | ||
| "?:\\Windows\\system32\\Wbem\\mofcomp.exe", | ||
| "?:\\Windows\\twain_32\\fjscan32\\SOP\\crtdmprc.exe", | ||
| "?:\\Windows\\SysWOW64\\taskkill.exe", | ||
| "?:\\Windows\\SysWOW64\\schtasks.exe", | ||
| "?:\\Windows\\system32\\schtasks.exe", | ||
| "?:\\Windows\\System32\\sdbinst.exe") and | ||
| not (process.code_signature.subject_name == "Citrix Systems, Inc." and process.code_signature.trusted == true) and | ||
| not (process.name : ("regsvr32.exe", "powershell.exe", "rundll32.exe", "wscript.exe") and | ||
| process.Ext.token.integrity_level_name == "high" and | ||
| process.args : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*")) and | ||
| not (process.executable : ("?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe") and process.code_signature.trusted == true) and | ||
| not (process.name : "rundll32.exe" and process.args : "printui.dll,PrintUIEntry") | ||
| ] by process.parent.entity_id | ||
| ''' | ||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1566" | ||
| name = "Phishing" | ||
| reference = "https://attack.mitre.org/techniques/T1566/" | ||
| [[rule.threat.technique.subtechnique]] | ||
| id = "T1566.002" | ||
| name = "Spearphishing Link" | ||
| reference = "https://attack.mitre.org/techniques/T1566/002/" | ||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0001" | ||
| name = "Initial Access" | ||
| reference = "https://attack.mitre.org/tactics/TA0001/" | ||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1218" | ||
| name = "System Binary Proxy Execution" | ||
| reference = "https://attack.mitre.org/techniques/T1218/" | ||
| [[rule.threat.technique.subtechnique]] | ||
| id = "T1218.007" | ||
| name = "Msiexec" | ||
| reference = "https://attack.mitre.org/techniques/T1218/007/" | ||
|
|
||
|
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0005" | ||
| name = "Defense Evasion" | ||
| reference = "https://attack.mitre.org/tactics/TA0005/" |
72 changes: 72 additions & 0 deletions
72
rules_building_block/initial_access_xsl_script_execution_via_com.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,72 @@ | ||
| [metadata] | ||
| creation_date = "2023/09/27" | ||
| integration = ["endpoint"] | ||
| maturity = "production" | ||
| min_stack_comments = "New fields added: required_fields, related_integrations, setup" | ||
| min_stack_version = "8.3.0" | ||
| updated_date = "2023/09/27" | ||
| bypass_bbr_timing = true | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| description = """ | ||
| Identifies the execution of a hosted XSL script using the Microsoft.XMLDOM COM interface via Microsoft Office processes. | ||
| This behavior may indicate adversarial activity to execute malicious JScript or VBScript on the system. | ||
| """ | ||
| from = "now-9m" | ||
| index = ["logs-endpoint.events.*"] | ||
| language = "eql" | ||
| license = "Elastic License v2" | ||
| name = "Remote XSL Script Execution via COM" | ||
| risk_score = 21 | ||
| rule_id = "48f657ee-de4f-477c-aa99-ed88ee7af97a" | ||
| severity = "low" | ||
| tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] | ||
| building_block_type = "default" | ||
| type = "eql" | ||
|
|
||
| query = ''' | ||
| sequence with maxspan=1m | ||
| [library where host.os.type == "windows" and dll.name : "msxml3.dll" and | ||
| process.name : ("winword.exe", "excel.exe", "powerpnt.exe", "mspub.exe")] by process.entity_id | ||
| [process where host.os.type == "windows" and event.action == "start" and | ||
| process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "mspub.exe") and | ||
| not process.executable : | ||
| ("?:\\Windows\\System32\\WerFault.exe", | ||
| "?:\\Windows\\SysWoW64\\WerFault.exe", | ||
| "?:\\windows\\splwow64.exe", | ||
| "?:\\Windows\\System32\\conhost.exe", | ||
| "?:\\Program Files\\*.exe", | ||
| "?:\\Program Files (x86)\\*exe")] by process.parent.entity_id | ||
| ''' | ||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1566" | ||
| name = "Phishing" | ||
| reference = "https://attack.mitre.org/techniques/T1566/" | ||
| [[rule.threat.technique.subtechnique]] | ||
| id = "T1566.002" | ||
| name = "Spearphishing Link" | ||
| reference = "https://attack.mitre.org/techniques/T1566/002/" | ||
|
|
||
|
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0001" | ||
| name = "Initial Access" | ||
| reference = "https://attack.mitre.org/tactics/TA0001/" | ||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1220" | ||
| name = "XSL Script Processing" | ||
| reference = "https://attack.mitre.org/techniques/T1220/" | ||
|
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0005" | ||
| name = "Defense Evasion" | ||
| reference = "https://attack.mitre.org/tactics/TA0005/" |