forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcommand_and_control_common_webservices.toml
347 lines (307 loc) · 14.1 KB
/
command_and_control_common_webservices.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
[metadata]
creation_date = "2020/11/04"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/09/23"
[transform]
[[transform.investigate]]
label = "Alerts associated with the user in the last 48h"
providers = [
[
{ excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
{ excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
]
]
relativeFrom = "now-48h/h"
relativeTo = "now"
[[transform.investigate]]
label = "Alerts associated with the host in the last 48h"
providers = [
[
{ excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
{ excluded = false, field = "host.name", queryType = "phrase", value = "{{host.name}}", valueType = "string" }
]
]
relativeFrom = "now-48h/h"
relativeTo = "now"
[[transform.investigate]]
label = "Investigate the Subject Process Network Events"
providers = [
[
{ excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" },
{ excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
]
]
[[transform.osquery]]
label = "Osquery - Retrieve DNS Cache"
query = "SELECT * FROM dns_cache"
[[transform.osquery]]
label = "Osquery - Retrieve All Services"
query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"
[[transform.osquery]]
label = "Osquery - Retrieve Services Running on User Accounts"
query = """
SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE
NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR
user_account == null)
"""
[[transform.osquery]]
label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link"
query = """
SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,
services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =
authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'
"""
[rule]
author = ["Elastic"]
description = """
Adversaries may implement command and control (C2) communications that use common web services to hide their activity.
This attack technique is typically targeted at an organization and uses web services common to the victim network, which
allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they
have most likely been used before compromise, which helps malicious traffic blend in.
"""
from = "now-9m"
index = ["logs-endpoint.events.network-*"]
language = "eql"
license = "Elastic License v2"
name = "Connection to Commonly Abused Web Services"
note = """## Triage and analysis
### Investigating Connection to Commonly Abused Web Services
Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.
This rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.
> **Note**:
> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
#### Possible investigation steps
- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
- Investigate other alerts associated with the user/host during the past 48 hours.
- $investigate_0
- $investigate_1
- Verify whether the digital signature exists in the executable.
- Identify the operation type (upload, download, tunneling, etc.).
- Examine the host for derived artifacts that indicate suspicious activities:
- Analyze the process executable using a private sandboxed analysis system.
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
- Attempts to contact external domains and addresses.
- Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.
- $investigate_2
- Examine the DNS cache for suspicious or anomalous entries.
- $osquery_0
- Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.
- Examine the host services for suspicious or anomalous entries.
- $osquery_1
- $osquery_2
- $osquery_3
- Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
### False positive analysis
- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.
### Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved host to prevent further post-compromise behavior.
- If the triage identified malware, search the environment for additional compromised hosts.
- Implement temporary network rules, procedures, and segmentation to contain the malware.
- Stop suspicious processes.
- Immediately block the identified indicators of compromise (IoCs).
- Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.
- Remove and block malicious artifacts identified during triage.
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
"""
references = [
"https://www.elastic.co/security-labs/operation-bleeding-bear",
"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry"
]
risk_score = 21
rule_id = "66883649-f908-4a5b-a1e0-54090a1d3a32"
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Resources: Investigation Guide",
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
network where host.os.type == "windows" and network.protocol == "dns" and
process.name != null and user.id not in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and
/* Add new WebSvc domains here */
dns.question.name :
(
"raw.githubusercontent.*",
"pastebin.*",
"paste4btc.com",
"paste.ee",
"ghostbin.com",
"drive.google.com",
"?.docs.live.net",
"api.dropboxapi.*",
"content.dropboxapi.*",
"dl.dropboxusercontent.*",
"api.onedrive.com",
"*.onedrive.org",
"onedrive.live.com",
"filebin.net",
"*.ngrok.io",
"ngrok.com",
"*.portmap.*",
"*serveo.net",
"*localtunnel.me",
"*pagekite.me",
"*localxpose.io",
"*notabug.org",
"rawcdn.githack.*",
"paste.nrecom.net",
"zerobin.net",
"controlc.com",
"requestbin.net",
"slack.com",
"api.slack.com",
"slack-redir.net",
"slack-files.com",
"cdn.discordapp.com",
"discordapp.com",
"discord.com",
"apis.azureedge.net",
"cdn.sql.gg",
"?.top4top.io",
"top4top.io",
"www.uplooder.net",
"*.cdnmegafiles.com",
"transfer.sh",
"gofile.io",
"updates.peer2profit.com",
"api.telegram.org",
"t.me",
"meacz.gq",
"rwrd.org",
"*.publicvm.com",
"*.blogspot.com",
"api.mylnikov.org",
"file.io",
"stackoverflow.com",
"*files.1drv.com",
"api.anonfile.com",
"*hosting-profi.de",
"ipbase.com",
"ipfs.io",
"*up.freeo*.space",
"api.mylnikov.org",
"script.google.com",
"script.googleusercontent.com",
"api.notion.com",
"graph.microsoft.com",
"*.sharepoint.com",
"mbasic.facebook.com",
"login.live.com",
"api.gofile.io",
"api.anonfiles.com",
"api.notion.com",
"api.trello.com",
"gist.githubusercontent.com",
"files.pythonhosted.org",
"g.live.com",
"*.zulipchat.com",
"webhook.site",
"run.mocky.io",
"mockbin.org",
"www.googleapis.com",
"googleapis.com",
"global.rel.tunnels.api.visualstudio.com",
"*.devtunnels.ms") and
/* Insert noisy false positives here */
not (
(
process.executable : (
"?:\\Program Files\\*.exe",
"?:\\Program Files (x86)\\*.exe",
"?:\\Windows\\System32\\WWAHost.exe",
"?:\\Windows\\System32\\smartscreen.exe",
"?:\\Windows\\System32\\MicrosoftEdgeCP.exe",
"?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe",
"?:\\Users\\*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe",
"?:\\Users\\*\\AppData\\Local\\BraveSoftware\\*\\Application\\brave.exe",
"?:\\Users\\*\\AppData\\Local\\Vivaldi\\Application\\vivaldi.exe",
"?:\\Users\\*\\AppData\\Local\\Programs\\Opera*\\opera.exe",
"?:\\Users\\*\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe",
"?:\\Users\\*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe",
"?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe",
"?:\\Windows\\system32\\mobsync.exe",
"?:\\Windows\\SysWOW64\\mobsync.exe"
)
) or
/* Discord App */
(process.name : "Discord.exe" and (process.code_signature.subject_name : "Discord Inc." and
process.code_signature.trusted == true) and dns.question.name : ("discord.com", "cdn.discordapp.com", "discordapp.com")
) or
/* MS Sharepoint */
(process.name : "Microsoft.SharePoint.exe" and (process.code_signature.subject_name : "Microsoft Corporation" and
process.code_signature.trusted == true) and dns.question.name : "onedrive.live.com"
) or
/* Firefox */
(process.name : "firefox.exe" and (process.code_signature.subject_name : "Mozilla Corporation" and
process.code_signature.trusted == true)
) or
/* Dropbox */
(process.name : "Dropbox.exe" and (process.code_signature.subject_name : "Dropbox, Inc" and
process.code_signature.trusted == true) and dns.question.name : ("api.dropboxapi.com", "*.dropboxusercontent.com")
) or
/* Obsidian - Plugins are stored on raw.githubusercontent.com */
(process.name : "Obsidian.exe" and (process.code_signature.subject_name : "Dynalist Inc" and
process.code_signature.trusted == true) and dns.question.name : "raw.githubusercontent.com"
) or
/* WebExperienceHostApp */
(process.name : "WebExperienceHostApp.exe" and (process.code_signature.subject_name : "Microsoft Windows" and
process.code_signature.trusted == true) and dns.question.name : ("onedrive.live.com", "skyapi.onedrive.live.com")
) or
(process.code_signature.subject_name : "Microsoft *" and process.code_signature.trusted == true and
dns.question.name : ("*.sharepoint.com", "graph.microsoft.com", "g.live.com", "login.live.com", "login.live.com")) or
(process.code_signature.trusted == true and
process.code_signature.subject_name :
("Johannes Schindelin",
"Redis Inc.",
"Slack Technologies, LLC",
"Cisco Systems, Inc.",
"Dropbox, Inc",
"Amazon.com Services LLC"))
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1102"
name = "Web Service"
reference = "https://attack.mitre.org/techniques/T1102/"
[[rule.threat.technique]]
id = "T1568"
name = "Dynamic Resolution"
reference = "https://attack.mitre.org/techniques/T1568/"
[[rule.threat.technique.subtechnique]]
id = "T1568.002"
name = "Domain Generation Algorithms"
reference = "https://attack.mitre.org/techniques/T1568/002/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1567"
name = "Exfiltration Over Web Service"
reference = "https://attack.mitre.org/techniques/T1567/"
[[rule.threat.technique.subtechnique]]
id = "T1567.001"
name = "Exfiltration to Code Repository"
reference = "https://attack.mitre.org/techniques/T1567/001/"
[[rule.threat.technique.subtechnique]]
id = "T1567.002"
name = "Exfiltration to Cloud Storage"
reference = "https://attack.mitre.org/techniques/T1567/002/"
[rule.threat.tactic]
id = "TA0010"
name = "Exfiltration"
reference = "https://attack.mitre.org/tactics/TA0010/"