[Security Content] 8.3 - Add Investigation Guides 2 (#1989)

* [Security Content] 8.3 - Add Investigation Guides 2 - Initial Commit * . * Add Related rules * Apply suggestions from code review Co-authored-by: nastasha-solomon <[email protected]> * Apply suggestions from code review Co-authored-by: nastasha-solomon <[email protected]> * . * . * Apply suggestions from code review Co-authored-by: Joe Peeples <[email protected]> Co-authored-by: nastasha-solomon <[email protected]> Co-authored-by: Joe Peeples <[email protected]> (cherry picked from commit e5d3c63)
elastic · May 31, 2022 · e06a4d6 · e06a4d6
1 parent 389c659
commit e06a4d6
Show file tree

Hide file tree

Showing 11 changed files with 625 additions and 19 deletions.
diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/15"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/05/21"
 
 [rule]
 author = ["Elastic"]
@@ -15,7 +15,57 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Exporting Exchange Mailbox via PowerShell"
-note = """## Config
+note = """## Triage and analysis
+
+### Investigating Exporting Exchange Mailbox via PowerShell
+
+The `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive
+to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.
+
+Attackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive
+and strategic data.
+
+#### Possible investigation steps
+
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Investigate the export operation:
+  - Identify the user account that performed the action and whether it should perform this kind of action.
+  - Contact the account owner and confirm whether they are aware of this activity.
+  - Check if this operation is done under change management and approved according to the organization's policy.
+  - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.
+  - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that
+  assigned the "Mailbox Import Export" privilege for abnormal activity.
+- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on
+a per-mailbox basis and can be part of a mass export.
+- If the operation was completed successfully:
+  - Check if the file is on the path specified in the command.
+  - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.
+
+### False positive analysis
+
+- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity
+and it is done with proper approval.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.
+- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.
+- Prioritize cases that involve personally identifiable information (PII) or other classified data.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Review the privileges of users with the "Mailbox Import Export" privilege to ensure that the least privilege principle
+is being followed.
+- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system,
+persistence mechanisms, and malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
+
+## Config
 
 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """

diff --git a/rules/windows/credential_access_posh_request_ticket.toml b/rules/windows/credential_access_posh_request_ticket.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/01/24"
 maturity = "production"
-updated_date = "2022/05/09"
+updated_date = "2022/05/21"
 
 [rule]
 author = ["Elastic"]
@@ -58,6 +58,24 @@ systems, and web services. Prioritize privileged accounts.
 - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
 - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
 mean time to respond (MTTR).
+
+## Config
+
+The 'PowerShell Script Block Logging' logging policy must be enabled.
+Steps to implement the logging policy with with Advanced Audit Configuration:
+
+```
+Computer Configuration > 
+Administrative Templates > 
+Windows PowerShell > 
+Turn on PowerShell Script Block Logging (Enable)
+```
+
+Steps to implement the logging policy via registry:
+
+```
+reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
+```
 """
 references = [
     "https://cobalt.io/blog/kerberoast-attack-techniques",

diff --git a/rules/windows/defense_evasion_code_injection_conhost.toml b/rules/windows/defense_evasion_code_injection_conhost.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/31"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/05/21"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,64 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Process from Conhost"
-note = """## Config
+note = """## Triage and analysis
+
+### Investigating Suspicious Process from Conhost
+
+The Windows Console Host, or `conhost.exe`, is both the server application for all of the Windows Console APIs as well as
+the classic Windows user interface for working with command-line applications.
+
+The `conhost.exe` process doesn't normally have child processes. Any processes spawned by the `conhost.exe` process can indicate code
+injection activity or a suspicious process masquerading as the `conhost.exe` process.
+
+#### Possible investigation steps
+
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file
+modifications, and any spawned child processes.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.
+- Retrieve the process executable and determine if it is malicious:
+  - Use a private sandboxed malware analysis system to perform analysis.
+    - Observe and collect information about the following activities:
+      - Attempts to contact external domains and addresses.
+      - File and registry access, modification, and creation activities.
+      - Service creation and launch activities.
+      - Scheduled tasks creation.
+  - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.
+    - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+
+### Related rules
+
+- Conhost Spawned By Suspicious Parent Process - 05b358de-aa6d-4f6c-89e6-78f74018b43b
+- Suspicious PowerShell Engine ImageLoad - 852c1f19-68e8-43a6-9dce-340771fe1be3
+
+### False positive analysis
+
+- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved hosts to prevent further post-compromise behavior.
+- If the triage identified malware, search the environment for additional compromised hosts.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
+  attackers could use to reinfect the system.
+- Remove and block malicious artifacts identified during triage.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
+
+## Config
 
 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """

diff --git a/rules/windows/defense_evasion_defender_disabled_via_registry.toml b/rules/windows/defense_evasion_defender_disabled_via_registry.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/23"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/05/21"
 
 [rule]
 author = ["Elastic"]
@@ -16,7 +16,49 @@ license = "Elastic License v2"
 name = "Windows Defender Disabled via Registry Modification"
 note = """## Triage and analysis
 
-Detections should be investigated to identify if the hosts and users are authorized to use this tool. As this rule detects post-exploitation process activity, investigations into this should be prioritized.
+### Investigating Windows Defender Disabled via Registry Modification
+
+Microsoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple
+environments. Disabling it is a common step in threat actor playbooks.
+
+This rule monitors the registry for configurations that disable Windows Defender or the start of its service.
+
+#### Possible investigation steps
+
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate
+software installations.
+- Identify the user account that performed the action and whether it should perform this kind of action.
+- Contact the account owner and confirm whether they are aware of this activity.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Check if this operation is done under change management and approved according to the organization's policy.
+
+### False positive analysis
+
+- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity,
+the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting),
+and no other suspicious activity has been observed.
+
+### Related rules
+
+- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87
+- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved hosts to prevent further post-compromise behavior.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Re-enable Windows Defender and restore the service configurations to automatic start.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
 
 ## Config
 

diff --git a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/07/07"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/05/21"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,54 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Disabling Windows Defender Security Settings via PowerShell"
-note = """## Config
+note = """## Triage and analysis
+
+### Investigating Disabling Windows Defender Security Settings via PowerShell
+
+Microsoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple
+environments. Disabling it is a common step in threat actor playbooks.
+
+This rule monitors the execution of commands that can tamper the Windows Defender antivirus features.
+
+#### Possible investigation steps
+
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate
+software installations.
+- Identify the user account that performed the action and whether it should perform this kind of action.
+- Contact the account owner and confirm whether they are aware of this activity.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Examine the command line to determine which action was executed. Based on that, examine exceptions, antivirus state,
+sample submission, etc.
+
+### False positive analysis
+
+- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity,
+the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting),
+and no other suspicious activity has been observed.
+
+### Related rules
+
+- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb
+- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved hosts to prevent further post-compromise behavior.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Based on the command line, take actions to restore the appropriate Windows Defender antivirus configurations.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
+
+## Config
 
 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """

diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/18"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/05/21"
 
 [rule]
 author = ["Austin Songer"]
@@ -15,7 +15,54 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Microsoft Windows Defender Tampering"
-note = """## Config
+note = """## Triage and analysis
+
+### Investigating Microsoft Windows Defender Tampering
+
+Microsoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple
+environments. Disabling it is a common step in threat actor playbooks.
+
+This rule monitors the registry for modifications that disable Windows Defender features.
+
+#### Possible investigation steps
+
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate
+software installations.
+- Identify the user account that performed the action and whether it should perform this kind of action.
+- Contact the account owner and confirm whether they are aware of this activity.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Examine which features have been disabled, and check if this operation is done under change management and approved
+according to the organization's policy.
+
+### False positive analysis
+
+- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity,
+the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting),
+and no other suspicious activity has been observed.
+
+### Related rules
+
+- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb
+- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved hosts to prevent further post-compromise behavior.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Take actions to restore the appropriate Windows Defender antivirus configurations.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
+
+## Config
 
 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """