From bb97300f1f9c188288153344a5ecfbd76e2efcad Mon Sep 17 00:00:00 2001 From: Ali Alwashali Date: Mon, 20 Nov 2023 14:47:01 +0300 Subject: [PATCH] Merge PR #4532 from @alwashali - Update EventLog Query Related Rules new: EventLog Query Requests By Builtin Utilities update: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Enhanced logic from simply covering wevtutil to covering other tools and conditions. --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- ...proc_creation_win_susp_event_log_query.yml | 47 +++++++++++ ...eation_win_susp_eventlog_content_recon.yml | 79 +++++++++++++++++++ .../proc_creation_win_wevtutil_recon.yml | 30 ------- 3 files changed, 126 insertions(+), 30 deletions(-) create mode 100644 rules-threat-hunting/windows/process_creation/proc_creation_win_susp_event_log_query.yml create mode 100644 rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml delete mode 100644 rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_event_log_query.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_event_log_query.yml new file mode 100644 index 00000000000..7c2769f296f --- /dev/null +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_event_log_query.yml @@ -0,0 +1,47 @@ +title: EventLog Query Requests By Builtin Utilities +id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f +related: + - id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf + type: derived +status: experimental +description: | + Detect attempts to query the contents of the event log using command line utilities. Attackers use this technique in order to look for sensitive information in the logs such as passwords, usernames, IPs, etc. +references: + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3 + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1 + - http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/ + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil +author: Ali Alwashali, Nasreddine Bencherchali (Nextron Systems) +date: 2023/11/20 +tags: + - attack.t1552 + - attack.credential_access + - detection.threat_hunting +logsource: + product: windows + category: process_creation +detection: + selection_wmi: + CommandLine|contains|all: + - 'Select' + - 'Win32_NTLogEvent' + selection_wevtutil_img: + - Image|endswith: '\wevtutil.exe' + - OriginalFileName: 'wevtutil.exe' + selection_wevtutil_cli: + CommandLine|contains: + - ' qe ' + - ' query-events ' + selection_wmic_img: + - Image|endswith: '\wevtutil.exe' + - OriginalFileName: 'wevtutil.exe' + selection_wmic_cli: + CommandLine|contains: ' ntevent' + selection_cmdlet: + CommandLine|contains: + - 'Get-WinEvent ' + - 'get-eventlog ' + condition: selection_wmi or all of selection_wevtutil_* or all of selection_wmic_* or selection_cmdlet +falsepositives: + - Legitimate log access by administrators or troubleshooting tools +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml b/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml new file mode 100644 index 00000000000..342adc7bba1 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml @@ -0,0 +1,79 @@ +title: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities +id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf +related: + - id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f + type: derived +status: experimental +description: | + Detects execution of different log query utilities to search and dump the content of specific event logs or look for specific event IDs. +references: + - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html + - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/ + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a + - https://www.group-ib.com/blog/apt41-world-tour-2021/ + - https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3 + - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1 + - http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/ + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil +author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) +date: 2022/09/09 +modified: 2023/11/20 +tags: + - attack.credential_access + - attack.discovery + - attack.t1552 +logsource: + category: process_creation + product: windows +detection: + selection_wmi: + CommandLine|contains|all: + - 'Select' + - 'Win32_NTLogEvent' + selection_wevtutil_img: + - Image|endswith: '\wevtutil.exe' + - OriginalFileName: 'wevtutil.exe' + selection_wevtutil_cli: + CommandLine|contains: + - ' qe ' + - ' query-events ' + selection_wmic_img: + - Image|endswith: '\wevtutil.exe' + - OriginalFileName: 'wevtutil.exe' + selection_wmic_cli: + CommandLine|contains: ' ntevent' + selection_cmdlet: + CommandLine|contains: + - 'Get-WinEvent ' + - 'get-eventlog ' + selection_logs_name: + CommandLine|contains: + # Note: Add more event log channels that are interesting for attackers + - 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + - 'Microsoft-Windows-Terminal-Services-RemoteConnectionManager/Operational' + - 'Security' + selection_logs_eid: + CommandLine|contains: + # Note: We use the "?" to account for both a single and a double quote + # Note: Please add additional interesting event IDs + # Note: As this only focuses on EIDs and we know EIDs are not unique across providers. Rare FPs might occur with legit queries to EIDs from different providers. + # This covers EID 4624 from Security Log + - '-InstanceId 4624' + - 'System[EventID=4624]' + - 'EventCode=?4624?' + - "EventIdentifier=?4624?" + # This covers EID 4778 from Security Log + - '-InstanceId 4778' + - 'System[EventID=4778]' + - 'EventCode=?4778?' + - "EventIdentifier=?4778?" + # This covers EID 25 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log + - '-InstanceId 25' + - 'System[EventID=25]' + - 'EventCode=?25?' + - "EventIdentifier=?25?" + condition: 1 of selection_logs_* and (selection_wmi or all of selection_wevtutil_* or all of selection_wmic_* or selection_cmdlet) +falsepositives: + - Legitimate usage of the utility by administrators to query the event log +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml b/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml deleted file mode 100644 index 27a58fde21d..00000000000 --- a/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml +++ /dev/null @@ -1,30 +0,0 @@ -title: Potential Recon Activity Using Wevtutil -id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf -status: experimental -description: Detects usage of the wevtutil utility to perform reconnaissance -references: - - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html -author: Nasreddine Bencherchali (Nextron Systems) -date: 2022/09/09 -modified: 2023/01/18 -tags: - - attack.discovery -logsource: - category: process_creation - product: windows -detection: - selection_cli: - Image|endswith: '\wevtutil.exe' - CommandLine|contains: - - ' qe ' - - ' query-events ' - selection_logs: - CommandLine|contains: - # Add more event log channels that are interesting for attackers - - 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' - - 'Microsoft-Windows-Terminal-Services-RemoteConnectionManager/Operational' - - 'Security' - condition: all of selection_* -falsepositives: - - Legitimate usage of the utility by administrators to query the event log -level: medium