[New Rule] Building Block Rules - Part 4 (#2926)

* [New Rule] Building Block Rules - Part 4

* Update discovery_win_network_connections.toml

* Update privilege_escalation_unquoted_service_path.toml

* Update rules_building_block/discovery_win_network_connections.toml

* Update rules_building_block/privilege_escalation_unquoted_service_path.toml

* Rename lateral_movement_net_share_discovery_winlog.toml to discovery_net_share_discovery_winlog.toml

* Update discovery_net_share_discovery_winlog.toml

(cherry picked from commit d1db3a0)

Author: w0rk3r

rules_building_block/discovery_net_share_discovery_winlog.toml

@@ -0,0 +1,48 @@
+[metadata]
+creation_date = "2023/07/14"
+integration = ["windows", "system"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/07/14"
+
+[rule]
+author = ["Elastic"]
+description = """
+Adversaries may look for folders and drives shared on remote systems to identify sources of information to gather as a
+precursor for collection and identify potential systems of interest for Lateral Movement.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["winlogbeat-*", "logs-windows.*", "logs-system.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Network Share Discovery"
+risk_score = 21
+rule_id = "b2318c71-5959-469a-a3ce-3a0768e63b9c"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"]
+type = "eql"
+building_block_type = "default"
+
+query = '''
+sequence by user.name, source.port, source.ip with maxspan=15s 
+ [file where event.action == "network-share-object-access-checked" and 
+  winlog.event_data.ShareName : ("\\*ADMIN$", "\\*C$") and 
+  source.ip != null and source.ip != "0.0.0.0" and source.ip != "::1" and source.ip != "::" and source.ip != "127.0.0.1"]
+ [file where event.action == "network-share-object-access-checked" and 
+  winlog.event_data.ShareName : ("\\*ADMIN$", "\\*C$") and 
+  source.ip != null and source.ip != "0.0.0.0" and source.ip != "::1" and source.ip != "::" and source.ip != "127.0.0.1"]
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1135"
+name = "Network Share Discovery"
+reference = "https://attack.mitre.org/techniques/T1135/"
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"

rules_building_block/discovery_win_network_connections.toml

@@ -0,0 +1,62 @@
+[metadata]
+creation_date = "2023/07/14"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/07/14"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule identifies the execution of commands that can be used to enumerate network connections. Adversaries may
+attempt to get a listing of network connections to or from a compromised system to identify targets within an environment.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Windows System Network Connections Discovery"
+risk_score = 21
+rule_id = "c4e9ed3e-55a2-4309-a012-bc3c78dad10a"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+building_block_type = "default"
+type = "eql"
+
+query = '''
+process where event.type == "start" and
+(
+  process.name : "netstat.exe" or
+  (
+   (
+    (process.name : "net.exe" or process.pe.original_file_name == "net.exe") or
+    (
+     (process.name : "net1.exe" or process.pe.original_file_name == "net1.exe") and
+     not process.parent.name : "net.exe"
+    )
+   ) and process.args : ("use", "user", "session", "config") and not process.args: ("/persistent:*", "/delete", "\\\\*")
+  ) or
+  (process.name : "nbtstat.exe" and process.args : "-s*")
+) and not user.id : "S-1-5-18"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1049"
+name = "System Network Connections Discovery"
+reference = "https://attack.mitre.org/techniques/T1049/"
+[[rule.threat.technique]]
+id = "T1082"
+name = "System Information Discovery"
+reference = "https://attack.mitre.org/techniques/T1082/"
+
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"

rules_building_block/persistence_transport_agent_exchange.toml

@@ -0,0 +1,88 @@
+[metadata]
+creation_date = "2023/07/14"
+integration = ["windows"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/07/14"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the use of Cmdlets and methods related to Microsoft Exchange Transport Agents install. Adversaries may
+leverage malicious Microsoft Exchange Transport Agents to execute tasks in response to adversary-defined criteria,
+establishing persistence.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["winlogbeat-*", "logs-windows.*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Microsoft Exchange Transport Agent Install Script"
+note = """## Setup
+The 'PowerShell Script Block Logging' logging policy must be enabled.
+Steps to implement the logging policy with Advanced Audit Configuration:
+```
+Computer Configuration >
+Administrative Templates >
+Windows PowerShell >
+Turn on PowerShell Script Block Logging (Enable)
+```
+Steps to implement the logging policy via registry:
+```
+reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
+```
+"""
+risk_score = 21
+rule_id = "846fe13f-6772-4c83-bd39-9d16d4ad1a81"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: PowerShell Logs", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+type = "query"
+building_block_type = "default"
+
+query = '''
+event.category: "process" and host.os.type:windows and
+  powershell.file.script_block_text : (
+    (
+    "Install-TransportAgent" or
+    "Enable-TransportAgent"
+    )
+  ) and not user.id : "S-1-5-18"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1505"
+name = "Server Software Component"
+reference = "https://attack.mitre.org/techniques/T1505/"
+[[rule.threat.technique.subtechnique]]
+id = "T1505.002"
+name = "Transport Agent"
+reference = "https://attack.mitre.org/techniques/T1505/002/"
+
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.001"
+name = "PowerShell"
+reference = "https://attack.mitre.org/techniques/T1059/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"

rules_building_block/privilege_escalation_unquoted_service_path.toml

@@ -0,0 +1,55 @@
+[metadata]
+creation_date = "2023/07/13"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/07/17"
+
+[rule]
+author = ["Elastic"]
+description = """
+Adversaries may leverage unquoted service path vulnerabilities to escalate privileges. By placing an executable in a
+higher-level directory within the path of an unquoted service executable, Windows will natively launch this executable
+from its defined path variable instead of the benign one in a deeper directory, thus leading to code execution.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Exploitation of an Unquoted Service Path Vulnerability"
+risk_score = 21
+rule_id = "12de29d4-bbb0-4eef-b687-857e8a163870"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+building_block_type = "default"
+type = "eql"
+
+query = '''
+process where event.type == "start" and 
+  (
+    process.executable : "?:\\Program.exe" or 
+    process.executable regex """(C:\\Program Files \(x86\)\\|C:\\Program Files\\)\w+.exe"""
+  )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1574"
+name = "Hijack Execution Flow"
+reference = "https://attack.mitre.org/techniques/T1574/"
+[[rule.threat.technique.subtechnique]]
+id = "T1574.009"
+name = "Path Interception by Unquoted Path"
+reference = "https://attack.mitre.org/techniques/T1574/009/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"