Skip to content

Commit af27a89

Browse files
w0rk3rgithub-actions[bot]
authored andcommitted
[New Rule] Building Block Rules - Part 4 (#2926)
* [New Rule] Building Block Rules - Part 4 * Update discovery_win_network_connections.toml * Update privilege_escalation_unquoted_service_path.toml * Update rules_building_block/discovery_win_network_connections.toml * Update rules_building_block/privilege_escalation_unquoted_service_path.toml * Rename lateral_movement_net_share_discovery_winlog.toml to discovery_net_share_discovery_winlog.toml * Update discovery_net_share_discovery_winlog.toml (cherry picked from commit d1db3a0)
1 parent 0f87117 commit af27a89

4 files changed

+253
-0
lines changed
Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
[metadata]
2+
creation_date = "2023/07/14"
3+
integration = ["windows", "system"]
4+
maturity = "production"
5+
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6+
min_stack_version = "8.3.0"
7+
updated_date = "2023/07/14"
8+
9+
[rule]
10+
author = ["Elastic"]
11+
description = """
12+
Adversaries may look for folders and drives shared on remote systems to identify sources of information to gather as a
13+
precursor for collection and identify potential systems of interest for Lateral Movement.
14+
"""
15+
from = "now-119m"
16+
interval = "60m"
17+
index = ["winlogbeat-*", "logs-windows.*", "logs-system.*"]
18+
language = "eql"
19+
license = "Elastic License v2"
20+
name = "Potential Network Share Discovery"
21+
risk_score = 21
22+
rule_id = "b2318c71-5959-469a-a3ce-3a0768e63b9c"
23+
severity = "low"
24+
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"]
25+
type = "eql"
26+
building_block_type = "default"
27+
28+
query = '''
29+
sequence by user.name, source.port, source.ip with maxspan=15s
30+
[file where event.action == "network-share-object-access-checked" and
31+
winlog.event_data.ShareName : ("\\*ADMIN$", "\\*C$") and
32+
source.ip != null and source.ip != "0.0.0.0" and source.ip != "::1" and source.ip != "::" and source.ip != "127.0.0.1"]
33+
[file where event.action == "network-share-object-access-checked" and
34+
winlog.event_data.ShareName : ("\\*ADMIN$", "\\*C$") and
35+
source.ip != null and source.ip != "0.0.0.0" and source.ip != "::1" and source.ip != "::" and source.ip != "127.0.0.1"]
36+
'''
37+
38+
[[rule.threat]]
39+
framework = "MITRE ATT&CK"
40+
[[rule.threat.technique]]
41+
id = "T1135"
42+
name = "Network Share Discovery"
43+
reference = "https://attack.mitre.org/techniques/T1135/"
44+
45+
[rule.threat.tactic]
46+
id = "TA0007"
47+
name = "Discovery"
48+
reference = "https://attack.mitre.org/tactics/TA0007/"
Lines changed: 62 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,62 @@
1+
[metadata]
2+
creation_date = "2023/07/14"
3+
integration = ["endpoint"]
4+
maturity = "production"
5+
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6+
min_stack_version = "8.3.0"
7+
updated_date = "2023/07/14"
8+
9+
[rule]
10+
author = ["Elastic"]
11+
description = """
12+
This rule identifies the execution of commands that can be used to enumerate network connections. Adversaries may
13+
attempt to get a listing of network connections to or from a compromised system to identify targets within an environment.
14+
"""
15+
from = "now-119m"
16+
interval = "60m"
17+
index = ["logs-endpoint.events.*"]
18+
language = "eql"
19+
license = "Elastic License v2"
20+
name = "Windows System Network Connections Discovery"
21+
risk_score = 21
22+
rule_id = "c4e9ed3e-55a2-4309-a012-bc3c78dad10a"
23+
severity = "low"
24+
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"]
25+
timestamp_override = "event.ingested"
26+
building_block_type = "default"
27+
type = "eql"
28+
29+
query = '''
30+
process where event.type == "start" and
31+
(
32+
process.name : "netstat.exe" or
33+
(
34+
(
35+
(process.name : "net.exe" or process.pe.original_file_name == "net.exe") or
36+
(
37+
(process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and
38+
not process.parent.name : "net.exe"
39+
)
40+
) and process.args : ("use", "user", "session", "config") and not process.args: ("/persistent:*", "/delete", "\\\\*")
41+
) or
42+
(process.name : "nbtstat.exe" and process.args : "-s*")
43+
) and not user.id : "S-1-5-18"
44+
'''
45+
46+
47+
[[rule.threat]]
48+
framework = "MITRE ATT&CK"
49+
[[rule.threat.technique]]
50+
id = "T1049"
51+
name = "System Network Connections Discovery"
52+
reference = "https://attack.mitre.org/techniques/T1049/"
53+
[[rule.threat.technique]]
54+
id = "T1082"
55+
name = "System Information Discovery"
56+
reference = "https://attack.mitre.org/techniques/T1082/"
57+
58+
59+
[rule.threat.tactic]
60+
id = "TA0007"
61+
name = "Discovery"
62+
reference = "https://attack.mitre.org/tactics/TA0007/"
Lines changed: 88 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,88 @@
1+
[metadata]
2+
creation_date = "2023/07/14"
3+
integration = ["windows"]
4+
maturity = "production"
5+
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6+
min_stack_version = "8.3.0"
7+
updated_date = "2023/07/14"
8+
9+
[rule]
10+
author = ["Elastic"]
11+
description = """
12+
Identifies the use of Cmdlets and methods related to Microsoft Exchange Transport Agents install. Adversaries may
13+
leverage malicious Microsoft Exchange Transport Agents to execute tasks in response to adversary-defined criteria,
14+
establishing persistence.
15+
"""
16+
from = "now-119m"
17+
interval = "60m"
18+
index = ["winlogbeat-*", "logs-windows.*"]
19+
language = "kuery"
20+
license = "Elastic License v2"
21+
name = "Microsoft Exchange Transport Agent Install Script"
22+
note = """## Setup
23+
The 'PowerShell Script Block Logging' logging policy must be enabled.
24+
Steps to implement the logging policy with Advanced Audit Configuration:
25+
```
26+
Computer Configuration >
27+
Administrative Templates >
28+
Windows PowerShell >
29+
Turn on PowerShell Script Block Logging (Enable)
30+
```
31+
Steps to implement the logging policy via registry:
32+
```
33+
reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
34+
```
35+
"""
36+
risk_score = 21
37+
rule_id = "846fe13f-6772-4c83-bd39-9d16d4ad1a81"
38+
severity = "low"
39+
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: PowerShell Logs", "Rule Type: BBR"]
40+
timestamp_override = "event.ingested"
41+
type = "query"
42+
building_block_type = "default"
43+
44+
query = '''
45+
event.category: "process" and host.os.type:windows and
46+
powershell.file.script_block_text : (
47+
(
48+
"Install-TransportAgent" or
49+
"Enable-TransportAgent"
50+
)
51+
) and not user.id : "S-1-5-18"
52+
'''
53+
54+
55+
[[rule.threat]]
56+
framework = "MITRE ATT&CK"
57+
[[rule.threat.technique]]
58+
id = "T1505"
59+
name = "Server Software Component"
60+
reference = "https://attack.mitre.org/techniques/T1505/"
61+
[[rule.threat.technique.subtechnique]]
62+
id = "T1505.002"
63+
name = "Transport Agent"
64+
reference = "https://attack.mitre.org/techniques/T1505/002/"
65+
66+
67+
68+
[rule.threat.tactic]
69+
id = "TA0003"
70+
name = "Persistence"
71+
reference = "https://attack.mitre.org/tactics/TA0003/"
72+
[[rule.threat]]
73+
framework = "MITRE ATT&CK"
74+
[[rule.threat.technique]]
75+
id = "T1059"
76+
name = "Command and Scripting Interpreter"
77+
reference = "https://attack.mitre.org/techniques/T1059/"
78+
[[rule.threat.technique.subtechnique]]
79+
id = "T1059.001"
80+
name = "PowerShell"
81+
reference = "https://attack.mitre.org/techniques/T1059/001/"
82+
83+
84+
85+
[rule.threat.tactic]
86+
id = "TA0002"
87+
name = "Execution"
88+
reference = "https://attack.mitre.org/tactics/TA0002/"
Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,55 @@
1+
[metadata]
2+
creation_date = "2023/07/13"
3+
integration = ["endpoint"]
4+
maturity = "production"
5+
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6+
min_stack_version = "8.3.0"
7+
updated_date = "2023/07/17"
8+
9+
[rule]
10+
author = ["Elastic"]
11+
description = """
12+
Adversaries may leverage unquoted service path vulnerabilities to escalate privileges. By placing an executable in a
13+
higher-level directory within the path of an unquoted service executable, Windows will natively launch this executable
14+
from its defined path variable instead of the benign one in a deeper directory, thus leading to code execution.
15+
"""
16+
from = "now-119m"
17+
interval = "60m"
18+
index = ["logs-endpoint.events.*"]
19+
language = "eql"
20+
license = "Elastic License v2"
21+
name = "Potential Exploitation of an Unquoted Service Path Vulnerability"
22+
risk_score = 21
23+
rule_id = "12de29d4-bbb0-4eef-b687-857e8a163870"
24+
severity = "low"
25+
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Rule Type: BBR"]
26+
timestamp_override = "event.ingested"
27+
building_block_type = "default"
28+
type = "eql"
29+
30+
query = '''
31+
process where event.type == "start" and
32+
(
33+
process.executable : "?:\\Program.exe" or
34+
process.executable regex """(C:\\Program Files \(x86\)\\|C:\\Program Files\\)\w+.exe"""
35+
)
36+
'''
37+
38+
39+
[[rule.threat]]
40+
framework = "MITRE ATT&CK"
41+
42+
[[rule.threat.technique]]
43+
id = "T1574"
44+
name = "Hijack Execution Flow"
45+
reference = "https://attack.mitre.org/techniques/T1574/"
46+
[[rule.threat.technique.subtechnique]]
47+
id = "T1574.009"
48+
name = "Path Interception by Unquoted Path"
49+
reference = "https://attack.mitre.org/techniques/T1574/009/"
50+
51+
52+
[rule.threat.tactic]
53+
id = "TA0004"
54+
name = "Privilege Escalation"
55+
reference = "https://attack.mitre.org/tactics/TA0004/"

0 commit comments

Comments
 (0)