[Security Content] 8.3 - Add Investigation Guides (#1937)

* 8.3 - Add Investigation Guides * Apply suggestions * Apply the refactor * Apply suggestions from Samir * . Co-authored-by: Colson Wilhoit <[email protected]> (cherry picked from commit a1bdf2b)
elastic · May 19, 2022 · 5459c43 · 5459c43
1 parent 1d8d051
commit 5459c43
Show file tree

Hide file tree

Showing 11 changed files with 511 additions and 72 deletions.
diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/04"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/04/21"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,50 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Enumeration of Administrator Accounts"
-note = """## Config
+note = """## Triage and analysis
+
+### Investigating Enumeration of Administrator Accounts
+
+After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps.
+This can happen by running commands to enumerate network resources, users, connections, files, and installed security
+software.
+
+This rule looks for the execution of the `net` and `wmic` utilities to enumerate administrator-related users or groups 
+in the domain and local machine scope. Attackers can use this information to plan their next steps of the attack, such
+as mapping targets for credential compromise and other post-exploitation activities.
+
+#### Possible investigation steps
+
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Identify the user account that performed the action and whether it should perform this kind of action.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and
+network connections.
+
+### False positive analysis
+
+- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify
+suspicious activity related to the user or host, such alerts can be dismissed.
+
+### Related rules
+
+- AdFind Command Activity - eda499b8-a073-4e35-9733-22ec71f57f3a
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved hosts to prevent further post-compromise behavior.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
+
+## Config
 
 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """

diff --git a/rules/windows/discovery_command_system_account.toml b/rules/windows/discovery_command_system_account.toml
@@ -0,0 +1,92 @@
+[metadata]
+creation_date = "2020/03/18"
+maturity = "production"
+min_stack_comments = "EQL optional fields syntax was not introduced until 7.16"
+min_stack_version = "7.16.0"
+updated_date = "2022/04/21"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after
+an adversary has achieved privilege escalation.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Account Discovery Command via SYSTEM Account"
+note = """## Triage and analysis
+
+### Investigating Account Discovery Command via SYSTEM Account
+
+After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps.
+This can happen by running commands to enumerate network resources, users, connections, files, and installed security
+software.
+
+This rule looks for the execution of account discovery utilities using the SYSTEM account, which is commonly observed
+after attackers successfully perform privilege escalation or exploit web applications.
+
+#### Possible investigation steps
+
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+  - If the process tree includes a web-application server process such as w3wp, httpd.exe, nginx.exe and alike,
+  investigate any suspicious file creation or modification in the last 48 hours to assess the presence of any potential
+  webshell backdoor.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Determine how the SYSTEM account is being used. For example, users with administrator privileges can spawn a system
+shell using Windows services, scheduled tasks or other third party utilities.
+
+### False positive analysis
+
+- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify
+suspicious activity related to the user or host, such alerts can be dismissed.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved hosts to prevent further post-compromise behavior.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
+- Use the data collected through the analysis to investigate other machines affected in the environment.
+
+## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
+risk_score = 21
+rule_id = "2856446a-34e6-435b-9fb5-f8f040bfa7ed"
+severity = "low"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where event.type in ("start", "process_started") and 
+  (?process.Ext.token.integrity_level_name : "System" or
+  ?winlog.event_data.IntegrityLevel : "System") and
+  (process.name : "whoami.exe" or
+  (process.name : "net1.exe" and not process.parent.name : "net.exe"))
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1033"
+name = "System Owner/User Discovery"
+reference = "https://attack.mitre.org/techniques/T1033/"
+
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+
diff --git a/rules/windows/discovery_file_dir_discovery.toml b/rules/windows/discovery_file_dir_discovery.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/04"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/04/21"
 
 [rule]
 author = ["Elastic"]
@@ -21,6 +21,44 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "File and Directory Discovery"
+note = """## Triage and analysis
+
+### Investigating File and Directory Discovery
+
+After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps.
+This can happen by running commands to enumerate network resources, users, connections, files, and installed security
+software.
+
+This rule looks for three directory-listing commands in one minute, which can indicate attempts to locate valuable files,
+specific file types or installed programs.
+
+#### Possible investigation steps
+
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Identify the user account that performed the action and whether it should perform this kind of action.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and
+network connections.
+
+### False positive analysis
+
+- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify
+suspicious activity related to the user or host, such alerts can be dismissed.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved hosts to prevent further post-compromise behavior.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
+"""
 risk_score = 21
 rule_id = "7b08314d-47a0-4b71-ae4e-16544176924f"
 severity = "low"

diff --git a/rules/windows/discovery_net_command_system_account.toml b/rules/windows/discovery_net_command_system_account.toml
diff --git a/rules/windows/discovery_net_view.toml b/rules/windows/discovery_net_view.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/04"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/04/21"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,46 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Windows Network Enumeration"
-note = """## Config
+note = """## Triage and analysis
+
+### Investigating Windows Network Enumeration
+
+After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps.
+This can happen by running commands to enumerate network resources, users, connections, files, and installed security
+software.
+
+This rule looks for the execution of the `net` utility to enumerate servers in the environment that hosts shared drives
+or printers. This information is useful to attackers as they can identify targets for lateral movements and search for
+valuable shared data.
+
+#### Possible investigation steps
+
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Identify the user account that performed the action and whether it should perform this kind of action.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and
+network connections.
+
+### False positive analysis
+
+- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify
+suspicious activity related to the user or host, such alerts can be dismissed.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved hosts to prevent further post-compromise behavior.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
+
+## Config
 
 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """

diff --git a/rules/windows/discovery_peripheral_device.toml b/rules/windows/discovery_peripheral_device.toml
@@ -1,20 +1,61 @@
 [metadata]
 creation_date = "2020/11/02"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/04/21"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies use of the Windows file system utility (fsutil.exe ) to gather information about attached peripheral devices
+Identifies use of the Windows file system utility (fsutil.exe) to gather information about attached peripheral devices
 and components connected to a computer system.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Peripheral Device Discovery"
-note = """## Config
+note = """## Triage and analysis
+
+### Investigating Peripheral Device Discovery
+
+After successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps.
+This can happen by running commands to enumerate network resources, users, connections, files, and installed security
+software.
+
+This rule looks for the execution of the `fsutil` utility with the `fsinfo` subcommand to enumerate drives attached to
+the computer, which can be used to identify secondary drives used for backups, mapped network drives, and removable
+media. These devices can contain valuable information for attackers.
+
+#### Possible investigation steps
+
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Identify the user account that performed the action and whether it should perform this kind of action.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Investigate abnormal behaviors observed using the account, such as commands executed, files created or modified, and
+network connections.
+- Determine whether this activity was followed by suspicious file access/copy operations or uploads to file storage
+services.
+
+### False positive analysis
+
+- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify
+suspicious activity related to the user or host, such alerts can be dismissed.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved hosts to prevent further post-compromise behavior.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
+
+## Config
 
 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """