Skip to content

Commit

Permalink
Add more Kibana samples; store in separate directory (#28)
Browse files Browse the repository at this point in the history 
* Add more Kibana samples; store in separate directory

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Move one more file

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
  • Loading branch information
@egibs
egibs authored Nov 8, 2024
1 parent 8320e10 commit fa43e44
Show file tree
Hide file tree
Showing 11 changed files with 926 additions and 0 deletions.
133 changes: 133 additions & 0 deletions linux/clean/kibana/2d62889e-e758-4c5e-b57e-c735914ee32a_101.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,133 @@
{
"attributes": {
"author": [
"Elastic"
],
"description": "Identifies suspicious PowerShell execution spawning from Windows Script Host processes (cscript or wscript.exe).",
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-windows.*",
"logs-system.security*",
"logs-windows.sysmon_operational-*",
"logs-sentinel_one_cloud_funnel.*",
"logs-m365_defender.event-*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Suspicious PowerShell Execution via Windows Scripts",
"query": "process where host.os.type == \"windows\" and event.action == \"start\" and\n process.name : (\"powershell.exe\", \"pwsh.exe\") and\n process.parent.name : (\"wscript.exe\", \"cscript.exe\", \"mshta.exe\") and\n (\n process.args_count == 1 or\n process.command_line :\n (\"*^*^*^*^*^*^*^*^*^*\",\n \"*''*''*''*\",\n \"*`*`*`*`*\",\n \"*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*\",\n \"*+*+*+*+*+*\",\n \"*$*$*$*$*\",\n \"*[char[]](*)*-join\",\n \"*Base64String*\",\n \"*[*Convert]*\",\n \"*.Text.Encoding*\",\n \"*.Compression.*\",\n \"*.replace(*\",\n \"*MemoryStream*\",\n \"*WriteAllBytes*\",\n \"* -en* *\",\n \"* -ec *\",\n \"* -e *\",\n \"* -ep *\",\n \"* /e *\",\n \"* /en* *\",\n \"* /ec *\",\n \"* /ep *\",\n \"*WebClient*\",\n \"*DownloadFile*\",\n \"*DownloadString*\",\n \"*BitsTransfer*\",\n \"*Invoke-Exp*\",\n \"*invoke-web*\",\n \"*iex*\",\n \"*iwr*\",\n \"*Reflection.Assembly*\",\n \"*Assembly.GetType*\",\n \"*.Sockets.*\",\n \"*Add-MpPreference*ExclusionPath*\",\n \"*raw.githubusercontent*\")\n ) and\n\n /* many legit powershell commands uses those non shortened execution flags excluding Sync-AppvPublishingServer lolbas */\n not (process.args : (\"-EncodedCommand\", \"Import-Module*\", \"-NonInteractive\") and\n process.args : \"-ExecutionPolicy\" and not process.args : \"Sync-AppvPublishingServer\") and\n\n /* third party installation related FPs */\n not ?process.parent.args : \"?:\\\\Windows\\\\system32\\\\gatherNetworkInfo.vbs\" and\n not (?process.parent.args : \"Microsoft.SystemCenter.ICMPProbe.WithConsecutiveSamples.vbs\" and process.args : \"Get-SCOMAgent\") and\n not (process.command_line : \"*WEBLOGIC_ARGS_CURRENT_1.DATA*\" and ?process.parent.command_line : \"*Impact360*\") and\n not process.args : \"$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers;*\" and\n not process.command_line : (\"*.Access.IdentityReference*win32_SID.SID*\", \"*AGIAbQB4AC0AYQBwAC4AcwAzAC4AdQBzAC0AZQBhAHMAd*\") and\n not (?process.parent.args : \"?:\\\\Users\\\\Prestige\\\\AppData\\\\Local\\\\Temp\\\\Rar$*\\\\KMS_VL_ALL_AIO.cmd -elevated\" and process.command_line : \"*KMS_VL_ALL_AIO.cmd*\") and\n not process.args : \"iwr https://*.s3.us-east-1.amazonaws.com/scripts/Start-SpeedTest.ps1 -UserAgent * -UseBasicParsing | invoke-expression\" and\n not (process.parent.name : \"wscript.exe\" and\n ?process.parent.args : \"C:\\\\Program Files (x86)\\\\Telivy\\\\Telivy Agent\\\\telivy.js\")\n",
"related_integrations": [
{
"package": "windows",
"version": "^1.5.0"
},
{
"package": "system",
"version": "^1.6.4"
},
{
"package": "sentinel_one_cloud_funnel",
"version": "^1.0.0"
},
{
"package": "m365_defender",
"version": "^2.0.0"
}
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "host.os.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args_count",
"type": "long"
},
{
"ecs": true,
"name": "process.command_line",
"type": "wildcard"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
},
{
"ecs": true,
"name": "process.parent.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.parent.command_line",
"type": "wildcard"
},
{
"ecs": true,
"name": "process.parent.name",
"type": "keyword"
}
],
"risk_score": 73,
"rule_id": "2d62889e-e758-4c5e-b57e-c735914ee32a",
"severity": "high",
"tags": [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: System",
"Data Source: Sysmon",
"Data Source: SentinelOne",
"Data Source: Microsoft Defender for Endpoint"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0002",
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
},
"technique": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"reference": "https://attack.mitre.org/techniques/T1059/",
"subtechnique": [
{
"id": "T1059.001",
"name": "PowerShell",
"reference": "https://attack.mitre.org/techniques/T1059/001/"
},
{
"id": "T1059.005",
"name": "Visual Basic",
"reference": "https://attack.mitre.org/techniques/T1059/005/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 101
},
"id": "2d62889e-e758-4c5e-b57e-c735914ee32a_101",
"type": "security-rule"
}
129 changes: 129 additions & 0 deletions linux/clean/kibana/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,129 @@
{
"attributes": {
"author": [
"Elastic"
],
"description": "Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes.",
"false_positives": [
"Legitimate PowerShell scripts that make use of these functions."
],
"from": "now-9m",
"index": [
"winlogbeat-*",
"logs-windows.powershell*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Potential Process Injection via PowerShell",
"note": "## Triage and analysis\n\n### Investigating Potential Process Injection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPowerShell also has solid capabilities to make the interaction with the Win32 API in an uncomplicated and reliable way, like the execution of inline C# code, PSReflect, Get-ProcAddress, etc.\n\nRed Team tooling and malware developers take advantage of these capabilities to develop stagers and loaders that inject payloads directly into the memory without touching the disk to circumvent file-based security protections.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check if the imported function was executed and which process it targeted.\n- Check if the injected code can be retrieved (hardcoded in the script or on command line logs).\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n",
"query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or\n LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and\n (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or\n SuspendThread or ResumeThread or GetDelegateForFunctionPointer)\n ) and not \n file.directory: (\n \"C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\SenseCM\" or\n \"C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\"\n )\n",
"references": [
"https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1",
"https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1",
"https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1",
"https://www.elastic.co/security-labs/detect-credential-access"
],
"related_integrations": [
{
"package": "windows",
"version": "^1.5.0"
}
],
"required_fields": [
{
"ecs": true,
"name": "event.category",
"type": "keyword"
},
{
"ecs": true,
"name": "file.directory",
"type": "keyword"
},
{
"ecs": true,
"name": "host.os.type",
"type": "keyword"
},
{
"ecs": false,
"name": "powershell.file.script_block_text",
"type": "unknown"
}
],
"risk_score": 73,
"rule_id": "2e29e96a-b67c-455a-afe4-de6183431d0d",
"setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n",
"severity": "high",
"tags": [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Tactic: Execution",
"Resources: Investigation Guide",
"Data Source: PowerShell Logs"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1055",
"name": "Process Injection",
"reference": "https://attack.mitre.org/techniques/T1055/",
"subtechnique": [
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"reference": "https://attack.mitre.org/techniques/T1055/001/"
},
{
"id": "T1055.002",
"name": "Portable Executable Injection",
"reference": "https://attack.mitre.org/techniques/T1055/002/"
}
]
}
]
},
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0002",
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
},
"technique": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"reference": "https://attack.mitre.org/techniques/T1059/",
"subtechnique": [
{
"id": "T1059.001",
"name": "PowerShell",
"reference": "https://attack.mitre.org/techniques/T1059/001/"
}
]
},
{
"id": "T1106",
"name": "Native API",
"reference": "https://attack.mitre.org/techniques/T1106/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 111
},
"id": "2e29e96a-b67c-455a-afe4-de6183431d0d_111",
"type": "security-rule"
}
Loading

0 comments on commit fa43e44

Please sign in to comment.