[Security Content] 8.3 - Add Investigation Guides

rules/windows/discovery_admin_recon.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/04"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/04/21"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,43 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Enumeration of Administrator Accounts"
-note = """## Config
+note = """## Triage and analysis
+
+### Investigating Enumeration of Administrator Accounts
+
+After a successful initial compromise, attackers may try to gain situational awareness of the environment to plan their
+next steps. This can happen by running commands to enumerate network resources, users, connections, files, and security
+software installed.
+
+This rule looks for the execution of the `net` and `wmic` utilities to enumerate administrator-related users or groups 
+in both domain and local scope, this information can be used by attackers to decide the next steps of the attack, such
+as mapping targets for credential compromise and other post-exploitation activities.
+
+#### Possible investigation steps
+
+- Investigate the process execution chain (parent process tree).
+- Identify the user account that performed the action and whether it usually performs this kind of action.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Investigate abnormal behaviors done using the account, such as commands executed, startup folder modifications, and
+network connections.
+
+### False positive analysis
+
+- Discovery activities themselves are not inherently malicious if occurring in isolation. As long as the analyst did not
+identify any suspicious activity related to the user or host, such alerts can be dismissed.
+
+### Related rules
+
+- AdFind Command Activity - eda499b8-a073-4e35-9733-22ec71f57f3a
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Quarantine the involved host to prevent further post-compromise behavior.
+- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
+- Determine the initial infection vector.
+
+## Config
 
 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """

rules/windows/discovery_command_system_account.toml

@@ -0,0 +1,84 @@
+[metadata]
+creation_date = "2020/03/18"
+maturity = "production"
+min_stack_comments = "EQL optional fields syntax was not introduced until 7.16"
+min_stack_version = "7.16.0"
+updated_date = "2022/04/21"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after
+an adversary has achieved privilege escalation.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Account Discovery Command via SYSTEM Account"
+note = """## Triage and analysis
+
+### Investigating Account Discovery Command via SYSTEM Account
+
+After a successful initial compromise, attackers may try to gain situational awareness of the environment to plan their
+next steps. This can happen by running commands to enumerate network resources, users, connections, files, and security
+software installed.
+
+This rule looks for the execution of account discovery utilities using the SYSTEM account, which is commonly observed
+after attackers successfully perform privilege escalation.
+
+#### Possible investigation steps
+
+- Investigate the process execution chain (parent process tree).
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Determine how the SYSTEM account is being used. For example, users with administrator privileges can spawn a system
+shell using psexec and other utilities, use services, etc.
+
+### False positive analysis
+
+- Discovery activities themselves are not inherently malicious if occurring in isolation. As long as the analyst did not
+identify any suspicious activity related to the user or host, such alerts can be dismissed.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Quarantine the involved host to prevent further post-compromise behavior.
+- Scope potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the
+target host.
+- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
+- Determine the initial infection vector.
+- Using the data collected through the analysis, scope other machines affected in the environment.
+
+## Config
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
+risk_score = 21
+rule_id = "2856446a-34e6-435b-9fb5-f8f040bfa7ed"
+severity = "low"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where event.type in ("start", "process_started") and 
+  (?process.Ext.token.integrity_level_name : "System" or
+  ?winlog.event_data.IntegrityLevel : "System") and
+  (process.name : "whoami.exe" or
+  (process.name : "net1.exe" and not process.parent.name : "net.exe"))
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1033"
+name = "System Owner/User Discovery"
+reference = "https://attack.mitre.org/techniques/T1033/"
+
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+

rules/windows/discovery_file_dir_discovery.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/04"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/04/21"
 
 [rule]
 author = ["Elastic"]
@@ -21,6 +21,37 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "File and Directory Discovery"
+note = """## Triage and analysis
+
+### Investigating File and Directory Discovery
+
+After a successful initial compromise, attackers may try to gain situational awareness of the environment to plan their
+next steps. This can happen by running commands to enumerate network resources, users, connections, files, and security
+software installed.
+
+This rule looks for three directory-listing commands in one minute, which can indicate attempts to locate valuable files
+or specific file types or installed programs.
+
+#### Possible investigation steps
+
+- Investigate the process execution chain (parent process tree).
+- Identify the user account that performed the action and whether it usually performs this kind of action.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Investigate abnormal behaviors done using the account, such as commands executed, startup folder modifications, and
+network connections.
+
+### False positive analysis
+
+- Discovery activities themselves are not inherently malicious if occurring in isolation. As long as the analyst did not
+identify any suspicious activity related to the user or host, such alerts can be dismissed.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Quarantine the involved host to prevent further post-compromise behavior.
+- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
+- Determine the initial infection vector.
+"""
 risk_score = 21
 rule_id = "7b08314d-47a0-4b71-ae4e-16544176924f"
 severity = "low"

rules/windows/discovery_net_view.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/04"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/04/21"
 
 [rule]
 author = ["Elastic"]
@@ -11,7 +11,39 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Windows Network Enumeration"
-note = """## Config
+note = """## Triage and analysis
+
+### Investigating Windows Network Enumeration
+
+After a successful initial compromise, attackers may try to gain situational awareness of the environment to plan their
+next steps. This can happen by running commands to enumerate network resources, users, connections, files, and security
+software installed.
+
+This rule looks for the execution of the `net` utility to enumerate servers in the environment that hosts shared drives
+or printers, which is useful to attackers as they can identify targets for lateral movements and search for valuable
+shared data.
+
+#### Possible investigation steps
+
+- Investigate the process execution chain (parent process tree).
+- Identify the user account that performed the action and whether it usually performs this kind of action.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Investigate abnormal behaviors done using the account, such as commands executed, startup folder modifications, and
+network connections.
+
+### False positive analysis
+
+- Discovery activities themselves are not inherently malicious if occurring in isolation. As long as the analyst did not
+identify any suspicious activity related to the user or host, such alerts can be dismissed.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Quarantine the involved host to prevent further post-compromise behavior.
+- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
+- Determine the initial infection vector.
+
+## Config
 
 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """

rules/windows/discovery_peripheral_device.toml

@@ -1,20 +1,54 @@
 [metadata]
 creation_date = "2020/11/02"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/04/21"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies use of the Windows file system utility (fsutil.exe ) to gather information about attached peripheral devices
+Identifies use of the Windows file system utility (fsutil.exe) to gather information about attached peripheral devices
 and components connected to a computer system.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Peripheral Device Discovery"
-note = """## Config
+note = """## Triage and analysis
+
+### Investigating Peripheral Device Discovery
+
+After a successful initial compromise, attackers may try to gain situational awareness of the environment to plan their
+next steps. This can happen by running commands to enumerate network resources, users, connections, files, and security
+software installed.
+
+This rule looks for the execution of the `fsutil` utility with the `fsinfo` subcommand to enumerate drives attached to
+the computer, which can be useful to identify secondary drives used for backups, mapped network drives, and removable
+media. All of which can contain valuable information for attackers.
+
+#### Possible investigation steps
+
+- Investigate the process execution chain (parent process tree).
+- Identify the user account that performed the action and whether it usually performs this kind of action.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Investigate abnormal behaviors done using the account, such as commands executed, startup folder modifications, and
+network connections.
+- Determine whether this activity was followed by suspicious file access/copy operations or uploads to file storage
+services.
+
+### False positive analysis
+
+- Discovery activities themselves are not inherently malicious if occurring in isolation. As long as the analyst did not
+identify any suspicious activity related to the user or host, such alerts can be dismissed.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Quarantine the involved host to prevent further post-compromise behavior.
+- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.).
+- Determine the initial infection vector.
+
+## Config
 
 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """