diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Security/4688_A_new_process_has_been_created/formula.xp b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Security/4688_A_new_process_has_been_created/formula.xp index ca4e49ac..a8c4dac9 100644 --- a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Security/4688_A_new_process_has_been_created/formula.xp +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Security/4688_A_new_process_has_been_created/formula.xp @@ -41,14 +41,16 @@ else endif object.process.id = maybe_number16($Data["NewProcessId"]) -object.process.fullpath = lower($Data["NewProcessName"]) +#object.process.fullpath = lower($Data["NewProcessName"]) +object.process.fullpath = $Data["NewProcessName"] $process_path = csv(object.process.fullpath, "\\", "") object.process.name = $process_path[length($process_path) - 1] object.process.path = strip(object.process.fullpath, "", object.process.name) object.process.cmdline = $Data['CommandLine'] object.process.parent.id = maybe_number16($Data["ProcessId"]) -object.process.parent.fullpath = lower($Data["ParentProcessName"]) +#object.process.parent.fullpath = lower($Data["ParentProcessName"]) +object.process.parent.fullpath = $Data["ParentProcessName"] $process_parent_path = csv(object.process.parent.fullpath, "\\", "") object.process.parent.name = $process_parent_path[length($process_parent_path) - 1] object.process.parent.path = strip(object.process.parent.fullpath, "", object.process.parent.name) diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/AccessTokenManipulation_via_Consent/i18n/i18n_en.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/AccessTokenManipulation_via_Consent/i18n/i18n_en.yaml new file mode 100644 index 00000000..4173a885 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/AccessTokenManipulation_via_Consent/i18n/i18n_en.yaml @@ -0,0 +1,4 @@ +Description: 'The launch of child processes with different Access Tokens was detected' +EventDescriptions: + - LocalizationId: 'corrname_AccessTokenManipulation_via_Consent' + EventDescription: 'Process with PID {object.process.parent.id} escalate own privileges:{alert.key} afted lauched (subject.process.name) process at host {event_src.host}' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/AccessTokenManipulation_via_Consent/i18n/i18n_ru.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/AccessTokenManipulation_via_Consent/i18n/i18n_ru.yaml new file mode 100644 index 00000000..4c1d5c6e --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/AccessTokenManipulation_via_Consent/i18n/i18n_ru.yaml @@ -0,0 +1,4 @@ +Description: 'Обнаружен запуск дочерних процессов с различными маркерами доступа (Access Tokens).' +EventDescriptions: + - LocalizationId: 'corrname_AccessTokenManipulation_via_Consent' + EventDescription: 'Процесс с идентификатором {object.process.parent.id} повысил свои привилегии: {alert.key} после запуска полцесса {subject.process.name} на хосте {event_src.host}' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/AccessTokenManipulation_via_Consent/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/AccessTokenManipulation_via_Consent/metainfo.yaml new file mode 100644 index 00000000..17933622 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/AccessTokenManipulation_via_Consent/metainfo.yaml @@ -0,0 +1,31 @@ +ObjectId: LOC-CR-330352538 +ContentAutoName: AccessTokenManipulation_via_Consent +ExpertContext: + Created: 19.06.2023 + Updated: 19.06.2023 + KnowledgeHolders: + - driverenok + Usecases: + - Атакующие могут манипулировать маркерами доступа (Access Tokens) путем подмены dll, загружаемых в процесс consent.exe + References: + - https://attack.mitre.org/techniques/T1134/ + - https://attack.mitre.org/techniques/T1548/002/ + DataSources: + - Provider: Microsoft-Windows-Security-Auditing + EventID: + - 4688 + - Provider: Microsoft-Windows-Sysmon + EventID: + - 1 +ContentRelations: + Implements: + ATTACK: + privilege-escalation: + - T1134 + - T1548.002 + defense-evasion: + - T1134 + - T1548.002 +EventDescriptions: + - Criteria: correlation_name = "AccessTokenManipulation_via_Consent" + LocalizationId: corrname_AccessTokenManipulation_via_Consent diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/AccessTokenManipulation_via_Consent/rule.co b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/AccessTokenManipulation_via_Consent/rule.co new file mode 100644 index 00000000..e16ed645 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/AccessTokenManipulation_via_Consent/rule.co @@ -0,0 +1,118 @@ +event Process_Start: + key: + event_src.host#, subject.account.session_id + filter { + filter::NotFromCorrelator() and + filter::ProcessStart_Windows_any() and + object.process.name == "consent.exe" + } + +event Process_Start_with_DifferentTokens: + key: + event_src.host#, subject.account.session_id + filter { + correlation_name == "Subrule_CreateChildProcess_with_DifferentTokens" + } + +rule AccessTokenManipulation_via_Consent: Process_Start and Process_Start_with_DifferentTokens #(Process_Start and ) with different object.process.parent.id within 10s + + on Process_Start { + $object.account.name = subject.account.name + $object.account.domain = subject.account.domain + $object.account.fullname = subject.account.fullname + $object.account.id = subject.account.id + $object.account.session_id = subject.account.session_id + $object.account.privileges = subject.account.privileges + + $event_src.ip = event_src.ip + $event_src.hostname = event_src.hostname + $event_src.fqdn = event_src.fqdn + $event_src.host = event_src.host + $event_src.asset = event_src.asset + $event_src.vendor = event_src.vendor + $event_src.title = event_src.title + $event_src.subsys = event_src.subsys + $event_src.rule = event_src.rule + + $subject.process.id = object.process.id + $subject.process.name = object.process.name + $subject.process.path = object.process.path + $subject.process.fullpath = object.process.fullpath + $subject.process.hash = object.process.hash + $subject.process.hash.md5 = object.process.hash.md5 + $subject.process.hash.sha1 = object.process.hash.sha1 + $subject.process.hash.sha256 = object.process.hash.sha256 + $subject.process.version = object.process.version + $subject.process.cmdline = object.process.cmdline + $subject.process.guid = object.process.guid + $subject.process.meta = object.process.meta + $subject.process.original_name = object.process.original_name + $subject.process.cwd = object.process.cwd + $subject.process.chain = object.process.chain + } + + #on Process_Start { + # $subject.process.id = object.process.id + # $subject.process.name = object.process.name + # $subject.process.path = object.process.path + # $subject.process.fullpath = object.process.fullpath + # $subject.process.guid = object.process.guid + # $subject.process.cmdline = object.process.cmdline + #} + + on Process_Start_with_DifferentTokens { + $subject.account.name = subject.account.name + $subject.account.domain = subject.account.domain + $subject.account.fullname = subject.account.fullname + $subject.account.session_id = subject.account.session_id + $subject.account.id = subject.account.id + $subject.account.privileges = subject.account.privileges + + $object.process.id = object.process.id + $object.process.name = object.process.name + $object.process.path = object.process.path + $object.process.fullpath = object.process.fullpath + $object.process.hash = object.process.hash + $object.process.hash.md5 = object.process.hash.md5 + $object.process.hash.sha1 = object.process.hash.sha1 + $object.process.hash.sha256 = object.process.hash.sha256 + $object.process.version = object.process.version + $object.process.cmdline = object.process.cmdline + $object.process.guid = object.process.guid + $object.process.meta = object.process.meta + $object.process.original_name = object.process.original_name + $object.process.cwd = object.process.cwd + $object.process.chain = object.process.chain + + $object.process.parent.id = object.process.parent.id + $object.process.parent.name = object.process.parent.name + $object.process.parent.path = object.process.parent.path + $object.process.parent.fullpath = object.process.parent.fullpath + $object.process.parent.guid = object.process.parent.guid + $object.process.parent.cmdline = object.process.parent.cmdline + + #$alert.key = $object.account.privileges + "->" $subject.account.privileges + + } + +emit { + $correlation_type = "incident" + + $subject = "account" + $action = "escalate" + $object = "account" + $status = "success" + + $importance = "medium" + + $category.generic = "Attack" + $category.high = "Privilege Escalation" + $category.low = "Access Token Manipulation" + + $incident.aggregation.key = join([$correlation_name, lower($event_src.host), lower($object.account.name)], "|") + $incident.aggregation.timeout = 2h + + $incident.severity = $importance + + $incident.category = "Undefined" +} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/AccessTokenManipulation_via_Consent/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/AccessTokenManipulation_via_Consent/tests/test_1.sc new file mode 100644 index 00000000..12ac99cd --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/AccessTokenManipulation_via_Consent/tests/test_1.sc @@ -0,0 +1,7 @@ +# Здесь укажи какие нормализованные события (одно или несколько) ты подаёшь на вход правилу корреляции. +# События отделяются друг от друга символом новой строки. Каждое их них должно быть записано в строку. +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.6236956Z\"},\"EventRecordID\":\"18198\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0x7f0\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1936\"},{\"Name\":\"ProcessId\",\"text\":\"0x3c8\"},{\"Name\":\"CommandLine\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.session_id": "999", "object.process.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.id": "2032", "object.process.name": "consent.exe", "object.process.parent.id": "968", "object.process.path": "c:\\windows\\system32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-19T10:56:53.856Z", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "999", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:10:10.623Z", "type": "raw", "uuid": "d61e0e53-ae9d-40fa-8d93-152160bbac12"} +{"_rule": "Subrule_CreateChildProcess_with_DifferentTokens", "action": "escalate", "alert.context": "PID_1264_start_process_wusa.exe_with_TokenElevationTypeLimited_then_PID_1264_start_process_wusa.exe_with_TokenElevationTypeFull", "alert.key": "TokenElevationTypeLimited->TokenElevationTypeFull", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Access Token Manipulation", "correlation_name": "Subrule_CreateChildProcess_with_DifferentTokens", "correlation_type": "incident", "count": 1, "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "medium", "incident.aggregation.key": "Subrule_CreateChildProcess_with_DifferentTokens|iewin7|1264", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "normalized": true, "object": "account", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.privileges": "TokenElevationTypeFull", "object.account.session_id": "999", "object.process.fullpath": "c:\\windows\\system32\\wusa.exe", "object.process.id": "1456", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999", "time": "2019-05-11T17:10:15.623Z"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"_rule": "AccessTokenManipulation_via_Consent", "action": "escalate", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Access Token Manipulation", "correlation_name": "AccessTokenManipulation_via_Consent", "correlation_type": "incident", "count": 1, "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "medium", "incident.aggregation.key": "AccessTokenManipulation_via_Consent|iewin7|iewin7$", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "normalized": true, "object": "account", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.privileges": "TokenElevationTypeDefault", "object.account.session_id": "999", "object.process.fullpath": "c:\\windows\\system32\\wusa.exe", "object.process.id": "1456", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999", "subject.process.fullpath": "c:\\windows\\system32\\consent.exe", "subject.process.id": "2032", "subject.process.name": "consent.exe", "subject.process.path": "c:\\windows\\system32\\"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/i18n/i18n_en.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/i18n/i18n_en.yaml new file mode 100644 index 00000000..d8ac0a65 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/i18n/i18n_en.yaml @@ -0,0 +1,4 @@ +Description: 'AutoElevate process start was detected' +EventDescriptions: + - LocalizationId: 'corrname_Subrule_AutoElevate_detection' + EventDescription: 'Process {object.process.name} started with AutoElevation flag behalf of the user {object.account.domain}\{object.account.name} at host {event_src.host}' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/i18n/i18n_ru.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/i18n/i18n_ru.yaml new file mode 100644 index 00000000..7088e797 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/i18n/i18n_ru.yaml @@ -0,0 +1,4 @@ +Description: 'Обнаружен запуск процесса с автоматическим повышением привилегий (AutoElevate)' +EventDescriptions: + - LocalizationId: 'corrname_Subrule_AutoElevate_detection' + EventDescription: 'Процесс {object.process.name} запущен с автоматическим повышением привилегий от имени пользователя {object.account.domain}\{object.account.name} на хосте {event_src.host}' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/metainfo.yaml new file mode 100644 index 00000000..b859049d --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/metainfo.yaml @@ -0,0 +1,31 @@ +ObjectId: LOC-CR-124009838 +ContentAutoName: Subrule_AutoElevate_detection +ExpertContext: + Created: 22.06.2023 + Updated: 26.06.2023 + KnowledgeHolders: + - driverenok + Usecases: + - "Легитимная активность, в результате которой процесс, имеющий в манифесте исполняемого файла опцию AutoElevate, запускается дважды: 1й запуск - с LimitedToken, 2й раз - с FullToken" + Falsepositives: + - Процессы, родителем которых является процесс explorer.exe и запускаются администраторами + References: + - https://attack.mitre.org/techniques/T1548/ + - https://github.com/rootm0s/WinPwnage + DataSources: + - Provider: Microsoft-Windows-Security-Auditing + EventID: + - 4688 + - 4689 + - Provider: Microsoft-Windows-Sysmon + EventID: + - 1 + - 5 +ContentRelations: + Implements: + ATTACK: + privilege-escalation: + - T1548 +EventDescriptions: + - Criteria: correlation_name = "Subrule_AutoElevate_detection" + LocalizationId: corrname_Subrule_AutoElevate_detection diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/rule.co b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/rule.co new file mode 100644 index 00000000..6aee77b9 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/rule.co @@ -0,0 +1,120 @@ +event Process_Start_with_LimitedToken: + key: + event_src.host, object.process.fullpath + filter { + filter::NotFromCorrelator() and + filter::ProcessStart_Windows_any() and + lower(subject.account.privileges) == "tokenelevationtypelimited" + } + +event Process_Stop_with_Elevated_ExitCode: + key: + event_src.host, object.process.fullpath + filter { + filter::NotFromCorrelator() and ( + event_src.title == "windows" and msgid == "4689" or + event_src.title == "sysmon" and msgid == "5" + ) and + reason == "0xc000042c" + } + +event Process_Start_with_ElevatedToken: + key: + event_src.host, object.process.fullpath + filter { + filter::NotFromCorrelator() and + filter::ProcessStart_Windows_any() and + in_list(["tokenelevationtypefull", "tokenelevationtypedefault"], lower(subject.account.privileges)) + } + +rule Subrule_AutoElevate_detection: (Process_Start_with_LimitedToken and Process_Stop_with_Elevated_ExitCode? and Process_Start_with_ElevatedToken) timer 10s with different subject.account.privileges + + on Process_Start_with_LimitedToken { + $object.account.id = object.account.id + $object.account.name = object.account.name + $object.account.domain = object.account.domain + $object.account.fullname = object.account.fullname + $object.account.session_id = object.account.session_id + $object.account.privileges = subject.account.privileges + + $object.process.id = object.process.id + $object.process.name = object.process.name + $object.process.path = object.process.path + $object.process.fullpath = object.process.fullpath + $object.process.hash = object.process.hash + $object.process.hash.md5 = object.process.hash.md5 + $object.process.hash.sha1 = object.process.hash.sha1 + $object.process.hash.sha256 = object.process.hash.sha256 + $object.process.version = object.process.version + $object.process.cmdline = object.process.cmdline + $object.process.guid = object.process.guid + $object.process.meta = object.process.meta + $object.process.original_name = object.process.original_name + $object.process.cwd = object.process.cwd + $object.process.chain = object.process.chain + + $object.process.parent.id = object.process.parent.id + $object.process.parent.name = object.process.parent.name + $object.process.parent.path = object.process.parent.path + $object.process.parent.fullpath = object.process.parent.fullpath + $object.process.parent.guid = object.process.parent.guid + $object.process.parent.cmdline = object.process.parent.cmdline + + $event_src.ip = event_src.ip + $event_src.hostname = event_src.hostname + $event_src.fqdn = event_src.fqdn + $event_src.host = event_src.host + $event_src.asset = event_src.asset + $event_src.vendor = event_src.vendor + $event_src.title = event_src.title + $event_src.subsys = event_src.subsys + $event_src.rule = event_src.rule + + $alert.key = subject.account.privileges + $alert.context = "PID_" + object.process.parent.id + "_start_process_" + object.process.name + "_with_" + subject.account.privileges + } + + on Process_Stop_with_Elevated_ExitCode { + $object.state = object.state + + if object.state == "0xc000042c" or reason == "0xc000042c" then + $reason = "STATUS_ELEVATION_REQUIRED" + endif + } + + on Process_Start_with_ElevatedToken { + $subject = subject + + $subject.account.id = subject.account.id + $subject.account.name = subject.account.name + $subject.account.domain = subject.account.domain + $subject.account.fullname = subject.account.fullname + $subject.account.session_id = subject.account.session_id + $subject.account.privileges = subject.account.privileges + + $action = action + + $object = object + + $status = status + + $alert.key = $alert.key + "->" + subject.account.privileges + $alert.context = $alert.context + "_then_PID_" + object.process.parent.id + "_start_process_" + object.process.name + "_with_" + subject.account.privileges + } + +emit { + $correlation_type = "event" + + $importance = "low" + + $category.generic = "Attack" + $category.high = "Privilege Escalation" + $category.low = "Elevation Control Mechanism" + + $incident.aggregation.key = join([$correlation_name, lower($event_src.host), lower($object.process.fullpath)], "|") + $incident.aggregation.timeout = 1h + + $incident.severity = $importance + + $incident.category = "Undefined" +} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/raw_events_1.json b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/raw_events_1.json new file mode 100644 index 00000000..bd771ece --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/raw_events_1.json @@ -0,0 +1,3 @@ +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-20T15:36:08.0268449Z\"},\"EventRecordID\":\"1676626\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"48\"},\"Channel\":\"Security\",\"Computer\":\"win7-hack.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3800063338-4262557262-2801230003-500\"},{\"Name\":\"SubjectUserName\",\"text\":\"Администратор\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3bc93\"},{\"Name\":\"NewProcessId\",\"text\":\"0x548\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x944\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\System32\\\\wusa.exe\\\"\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-22T19:08:06.487Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"160e9a36-942b-464d-afeb-580ccdcc4b66"} +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4689\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"13313\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-20T15:36:08.0424703Z\"},\"EventRecordID\":\"1676627\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"44\"},\"Channel\":\"Security\",\"Computer\":\"win7-hack.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3800063338-4262557262-2801230003-500\"},{\"Name\":\"SubjectUserName\",\"text\":\"Администратор\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3bc93\"},{\"Name\":\"Status\",\"text\":\"0xc000042c\"},{\"Name\":\"ProcessId\",\"text\":\"0x548\"},{\"Name\":\"ProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-22T19:08:06.489Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"3d36ab5b-d2f1-49a9-95f5-e28e35834b64"} +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-20T15:36:08.4643561Z\"},\"EventRecordID\":\"1676639\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"44\"},\"Channel\":\"Security\",\"Computer\":\"win7-hack.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"WIN7-HACK$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0xae0\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1937\"},{\"Name\":\"ProcessId\",\"text\":\"0x944\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\System32\\\\wusa.exe\\\"\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-22T19:08:06.490Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"70ef4f25-dc12-4038-b382-80a6eae212d0"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/raw_events_2.json b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/raw_events_2.json new file mode 100644 index 00000000..c8bbf3eb --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/raw_events_2.json @@ -0,0 +1,2 @@ +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-20T15:36:08.0268449Z\"},\"EventRecordID\":\"1676626\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"48\"},\"Channel\":\"Security\",\"Computer\":\"win7-hack.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3800063338-4262557262-2801230003-500\"},{\"Name\":\"SubjectUserName\",\"text\":\"Администратор\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3bc93\"},{\"Name\":\"NewProcessId\",\"text\":\"0x548\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x944\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\System32\\\\wusa.exe\\\"\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-22T19:08:06.487Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"160e9a36-942b-464d-afeb-580ccdcc4b66"} +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-20T15:36:08.4643561Z\"},\"EventRecordID\":\"1676639\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"44\"},\"Channel\":\"Security\",\"Computer\":\"win7-hack.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"WIN7-HACK$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0xae0\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1937\"},{\"Name\":\"ProcessId\",\"text\":\"0x944\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\System32\\\\wusa.exe\\\"\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-22T19:08:06.490Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"70ef4f25-dc12-4038-b382-80a6eae212d0"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/raw_events_3.json b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/raw_events_3.json new file mode 100644 index 00000000..aa41a4bd --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/raw_events_3.json @@ -0,0 +1,2 @@ +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.6080706Z\"},\"EventRecordID\":\"18197\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x13765\"},{\"Name\":\"NewProcessId\",\"text\":\"0x628\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-19T15:44:16.508Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"3f5255f8-2046-4ccc-8ab0-94241391249d"} +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8268206Z\"},\"EventRecordID\":\"18205\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0x5b0\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1937\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-19T15:47:21.139Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"a7cf27bb-23a3-4f08-bef1-22633514db07"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/raw_events_4.json b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/raw_events_4.json new file mode 100644 index 00000000..9a6dadf9 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/raw_events_4.json @@ -0,0 +1,3 @@ +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.6080706Z\"},\"EventRecordID\":\"18197\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x13765\"},{\"Name\":\"NewProcessId\",\"text\":\"0x628\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-19T15:44:16.508Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"3f5255f8-2046-4ccc-8ab0-94241391249d"} +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8268206Z\"},\"EventRecordID\":\"18205\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0x5b0\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1937\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-19T15:47:21.139Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"a7cf27bb-23a3-4f08-bef1-22633514db07"} +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8893206Z\"},\"EventRecordID\":\"18207\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0xc74\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1936\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-19T15:44:56.726Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"4b969569-cc44-4df3-a0f2-cc9d3aab72d5"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_1.sc new file mode 100644 index 00000000..043bb8c9 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_1.sc @@ -0,0 +1,8 @@ +# Здесь укажи какие нормализованные события (одно или несколько) ты подаёшь на вход правилу корреляции. +# События отделяются друг от друга символом новой строки. Каждое их них должно быть записано в строку. +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-20T15:36:08.0268449Z\"},\"EventRecordID\":\"1676626\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"48\"},\"Channel\":\"Security\",\"Computer\":\"win7-hack.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3800063338-4262557262-2801230003-500\"},{\"Name\":\"SubjectUserName\",\"text\":\"Администратор\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3bc93\"},{\"Name\":\"NewProcessId\",\"text\":\"0x548\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x944\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\System32\\\\wusa.exe\\\"\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "win7-hack.stand2008.local", "event_src.host": "win7-hack.stand2008.local", "event_src.hostname": "win7-hack", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "stand2008", "object.account.id": "S-1-5-21-3800063338-4262557262-2801230003-500", "object.account.name": "администратор", "object.account.session_id": "244883", "object.process.cmdline": "\"C:\\Windows\\System32\\wusa.exe\"", "object.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "object.process.id": "1352", "object.process.name": "wusa.exe", "object.process.parent.id": "2372", "object.process.path": "C:\\Windows\\System32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-22T19:08:06.487Z", "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-21-3800063338-4262557262-2801230003-500", "subject.account.name": "администратор", "subject.account.privileges": "TokenElevationTypeLimited", "subject.account.session_id": "244883", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-06-20T15:36:08.026Z", "type": "raw", "uuid": "160e9a36-942b-464d-afeb-580ccdcc4b66"} +{"action": "stop", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4689\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"13313\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-20T15:36:08.0424703Z\"},\"EventRecordID\":\"1676627\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"44\"},\"Channel\":\"Security\",\"Computer\":\"win7-hack.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3800063338-4262557262-2801230003-500\"},{\"Name\":\"SubjectUserName\",\"text\":\"Администратор\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3bc93\"},{\"Name\":\"Status\",\"text\":\"0xc000042c\"},{\"Name\":\"ProcessId\",\"text\":\"0x548\"},{\"Name\":\"ProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield1": "244883", "event_src.category": "Operating system", "event_src.fqdn": "win7-hack.stand2008.local", "event_src.host": "win7-hack.stand2008.local", "event_src.hostname": "win7-hack", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4689_A_process_has_exited", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4689", "normalized": true, "object": "process", "object.account.domain": "stand2008", "object.account.id": "S-1-5-21-3800063338-4262557262-2801230003-500", "object.account.name": "администратор", "object.account.session_id": "244883", "object.id": "1352", "object.name": "wusa.exe", "object.path": "C:\\Windows\\System32\\", "object.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "object.process.id": "1352", "object.process.name": "wusa.exe", "object.process.path": "C:\\Windows\\System32\\", "object.state": "0xc000042c", "reason": "0xc000042c", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-22T19:08:06.489Z", "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-21-3800063338-4262557262-2801230003-500", "subject.account.name": "администратор", "subject.account.session_id": "244883", "subject.domain": "stand2008", "subject.id": "S-1-5-21-3800063338-4262557262-2801230003-500", "subject.name": "администратор", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-06-20T15:36:08.042Z", "type": "raw", "uuid": "3d36ab5b-d2f1-49a9-95f5-e28e35834b64"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-20T15:36:08.4643561Z\"},\"EventRecordID\":\"1676639\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"44\"},\"Channel\":\"Security\",\"Computer\":\"win7-hack.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"WIN7-HACK$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0xae0\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1937\"},{\"Name\":\"ProcessId\",\"text\":\"0x944\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\System32\\\\wusa.exe\\\"\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "win7-hack.stand2008.local", "event_src.host": "win7-hack.stand2008.local", "event_src.hostname": "win7-hack", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "stand2008", "object.account.id": "S-1-5-18", "object.account.name": "win7-hack$", "object.account.session_id": "999", "object.process.cmdline": "\"C:\\Windows\\System32\\wusa.exe\"", "object.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "object.process.id": "2784", "object.process.name": "wusa.exe", "object.process.parent.id": "2372", "object.process.path": "C:\\Windows\\System32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-22T19:08:06.490Z", "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-18", "subject.account.name": "win7-hack$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-06-20T15:36:08.464Z", "type": "raw", "uuid": "70ef4f25-dc12-4038-b382-80a6eae212d0"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"_rule": "Subrule_AutoElevate_detection", "action": "start", "alert.context": "PID_2372_start_process_wusa.exe_with_TokenElevationTypeLimited_then_PID_2372_start_process_wusa.exe_with_TokenElevationTypeFull", "alert.key": "TokenElevationTypeLimited->TokenElevationTypeFull", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Elevation Control Mechanism", "correlation_name": "Subrule_AutoElevate_detection", "correlation_type": "event", "count": 1, "event_src.fqdn": "win7-hack.stand2008.local", "event_src.host": "win7-hack.stand2008.local", "event_src.hostname": "win7-hack", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "low", "incident.aggregation.key": "Subrule_AutoElevate_detection|win7-hack.stand2008.local|c:\\windows\\system32\\wusa.exe", "incident.aggregation.timeout": 3600, "incident.category": "Undefined", "incident.severity": "low", "normalized": true, "object": "process", "object.account.domain": "stand2008", "object.account.id": "S-1-5-21-3800063338-4262557262-2801230003-500", "object.account.name": "администратор", "object.account.privileges": "TokenElevationTypeLimited", "object.account.session_id": "244883", "object.process.cmdline": "\"C:\\Windows\\System32\\wusa.exe\"", "object.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "object.process.id": "1352", "object.process.name": "wusa.exe", "object.process.parent.id": "2372", "object.process.path": "C:\\Windows\\System32\\", "object.state": "0xc000042c", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "reason": "STATUS_ELEVATION_REQUIRED", "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-18", "subject.account.name": "win7-hack$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_2.sc new file mode 100644 index 00000000..cf832a93 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_2.sc @@ -0,0 +1,7 @@ +# Здесь укажи какие нормализованные события (одно или несколько) ты подаёшь на вход правилу корреляции. +# События отделяются друг от друга символом новой строки. Каждое их них должно быть записано в строку. +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-20T15:36:08.0268449Z\"},\"EventRecordID\":\"1676626\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"48\"},\"Channel\":\"Security\",\"Computer\":\"win7-hack.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3800063338-4262557262-2801230003-500\"},{\"Name\":\"SubjectUserName\",\"text\":\"Администратор\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3bc93\"},{\"Name\":\"NewProcessId\",\"text\":\"0x548\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x944\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\System32\\\\wusa.exe\\\"\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "win7-hack.stand2008.local", "event_src.host": "win7-hack.stand2008.local", "event_src.hostname": "win7-hack", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "stand2008", "object.account.id": "S-1-5-21-3800063338-4262557262-2801230003-500", "object.account.name": "администратор", "object.account.session_id": "244883", "object.process.cmdline": "\"C:\\Windows\\System32\\wusa.exe\"", "object.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "object.process.id": "1352", "object.process.name": "wusa.exe", "object.process.parent.id": "2372", "object.process.path": "C:\\Windows\\System32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-22T19:08:06.487Z", "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-21-3800063338-4262557262-2801230003-500", "subject.account.name": "администратор", "subject.account.privileges": "TokenElevationTypeLimited", "subject.account.session_id": "244883", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-06-20T15:36:08.026Z", "type": "raw", "uuid": "160e9a36-942b-464d-afeb-580ccdcc4b66"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-20T15:36:08.4643561Z\"},\"EventRecordID\":\"1676639\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"44\"},\"Channel\":\"Security\",\"Computer\":\"win7-hack.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"WIN7-HACK$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0xae0\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1937\"},{\"Name\":\"ProcessId\",\"text\":\"0x944\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\System32\\\\wusa.exe\\\"\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "win7-hack.stand2008.local", "event_src.host": "win7-hack.stand2008.local", "event_src.hostname": "win7-hack", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "stand2008", "object.account.id": "S-1-5-18", "object.account.name": "win7-hack$", "object.account.session_id": "999", "object.process.cmdline": "\"C:\\Windows\\System32\\wusa.exe\"", "object.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "object.process.id": "2784", "object.process.name": "wusa.exe", "object.process.parent.id": "2372", "object.process.path": "C:\\Windows\\System32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-22T19:08:06.490Z", "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-18", "subject.account.name": "win7-hack$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-06-20T15:36:08.464Z", "type": "raw", "uuid": "70ef4f25-dc12-4038-b382-80a6eae212d0"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"_rule": "Subrule_AutoElevate_detection", "action": "start", "alert.context": "PID_2372_start_process_wusa.exe_with_TokenElevationTypeLimited_then_PID_2372_start_process_wusa.exe_with_TokenElevationTypeFull", "alert.key": "TokenElevationTypeLimited->TokenElevationTypeFull", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Elevation Control Mechanism", "correlation_name": "Subrule_AutoElevate_detection", "correlation_type": "event", "count": 1, "event_src.fqdn": "win7-hack.stand2008.local", "event_src.host": "win7-hack.stand2008.local", "event_src.hostname": "win7-hack", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "low", "incident.aggregation.key": "Subrule_AutoElevate_detection|win7-hack.stand2008.local|c:\\windows\\system32\\wusa.exe", "incident.aggregation.timeout": 3600, "incident.category": "Undefined", "incident.severity": "low", "normalized": true, "object": "process", "object.account.domain": "stand2008", "object.account.id": "S-1-5-21-3800063338-4262557262-2801230003-500", "object.account.name": "администратор", "object.account.privileges": "TokenElevationTypeLimited", "object.account.session_id": "244883", "object.process.cmdline": "\"C:\\Windows\\System32\\wusa.exe\"", "object.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "object.process.id": "1352", "object.process.name": "wusa.exe", "object.process.parent.id": "2372", "object.process.path": "C:\\Windows\\System32\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-18", "subject.account.name": "win7-hack$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_3.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_3.sc new file mode 100644 index 00000000..b4f1df5b --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_3.sc @@ -0,0 +1,7 @@ +# Здесь укажи какие нормализованные события (одно или несколько) ты подаёшь на вход правилу корреляции. +# События отделяются друг от друга символом новой строки. Каждое их них должно быть записано в строку. +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.6080706Z\"},\"EventRecordID\":\"18197\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x13765\"},{\"Name\":\"NewProcessId\",\"text\":\"0x628\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "iewin7", "object.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "object.account.name": "ieuser", "object.account.session_id": "79717", "object.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "object.process.id": "1576", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "C:\\Windows\\System32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-19T15:44:16.508Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "subject.account.name": "ieuser", "subject.account.privileges": "TokenElevationTypeLimited", "subject.account.session_id": "79717", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:10:10.608Z", "type": "raw", "uuid": "3f5255f8-2046-4ccc-8ab0-94241391249d"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8268206Z\"},\"EventRecordID\":\"18205\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0x5b0\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1937\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.session_id": "999", "object.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "object.process.id": "1456", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "C:\\Windows\\System32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-19T15:47:21.139Z", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:10:10.826Z", "type": "raw", "uuid": "a7cf27bb-23a3-4f08-bef1-22633514db07"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"_rule": "Subrule_AutoElevate_detection", "action": "start", "alert.context": "PID_1264_start_process_wusa.exe_with_TokenElevationTypeLimited_then_PID_1264_start_process_wusa.exe_with_TokenElevationTypeFull", "alert.key": "TokenElevationTypeLimited->TokenElevationTypeFull", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Elevation Control Mechanism", "correlation_name": "Subrule_AutoElevate_detection", "correlation_type": "event", "count": 1, "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "low", "incident.aggregation.key": "Subrule_AutoElevate_detection|iewin7|c:\\windows\\system32\\wusa.exe", "incident.aggregation.timeout": 3600, "incident.category": "Undefined", "incident.severity": "low", "normalized": true, "object": "process", "object.account.domain": "iewin7", "object.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "object.account.name": "ieuser", "object.account.privileges": "TokenElevationTypeLimited", "object.account.session_id": "79717", "object.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "object.process.id": "1576", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "C:\\Windows\\System32\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_4.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_4.sc new file mode 100644 index 00000000..27cd362d --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_4.sc @@ -0,0 +1,9 @@ +# Здесь укажи какие нормализованные события (одно или несколько) ты подаёшь на вход правилу корреляции. +# События отделяются друг от друга символом новой строки. Каждое их них должно быть записано в строку. +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.6080706Z\"},\"EventRecordID\":\"18197\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x13765\"},{\"Name\":\"NewProcessId\",\"text\":\"0x628\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "iewin7", "object.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "object.account.name": "ieuser", "object.account.session_id": "79717", "object.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "object.process.id": "1576", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "C:\\Windows\\System32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-19T15:44:16.508Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "subject.account.name": "ieuser", "subject.account.privileges": "TokenElevationTypeLimited", "subject.account.session_id": "79717", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:10:10.608Z", "type": "raw", "uuid": "3f5255f8-2046-4ccc-8ab0-94241391249d"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8268206Z\"},\"EventRecordID\":\"18205\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0x5b0\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1937\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.session_id": "999", "object.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "object.process.id": "1456", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "C:\\Windows\\System32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-19T15:47:21.139Z", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:10:10.826Z", "type": "raw", "uuid": "a7cf27bb-23a3-4f08-bef1-22633514db07"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8893206Z\"},\"EventRecordID\":\"18207\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0xc74\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1936\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.session_id": "999", "object.process.fullpath": "C:\\Windows\\System32\\cmd.exe", "object.process.id": "3188", "object.process.name": "cmd.exe", "object.process.parent.id": "1264", "object.process.path": "C:\\Windows\\System32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-19T15:44:56.726Z", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "999", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:10:10.889Z", "type": "raw", "uuid": "4b969569-cc44-4df3-a0f2-cc9d3aab72d5"} + + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"_rule": "Subrule_AutoElevate_detection", "action": "start", "alert.context": "PID_1264_start_process_wusa.exe_with_TokenElevationTypeLimited_then_PID_1264_start_process_wusa.exe_with_TokenElevationTypeFull", "alert.key": "TokenElevationTypeLimited->TokenElevationTypeFull", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Elevation Control Mechanism", "correlation_name": "Subrule_AutoElevate_detection", "correlation_type": "event", "count": 1, "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "low", "incident.aggregation.key": "Subrule_AutoElevate_detection|iewin7|c:\\windows\\system32\\wusa.exe", "incident.aggregation.timeout": 3600, "incident.category": "Undefined", "incident.severity": "low", "normalized": true, "object": "process", "object.account.domain": "iewin7", "object.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "object.account.name": "ieuser", "object.account.privileges": "TokenElevationTypeLimited", "object.account.session_id": "79717", "object.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "object.process.id": "1576", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "C:\\Windows\\System32\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_conds_1.tc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_conds_1.tc new file mode 100644 index 00000000..4334de50 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_conds_1.tc @@ -0,0 +1 @@ +expect 1 {"correlation_name": "Subrule_AutoElevate_detection"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_conds_2.tc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_conds_2.tc new file mode 100644 index 00000000..4334de50 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_conds_2.tc @@ -0,0 +1 @@ +expect 1 {"correlation_name": "Subrule_AutoElevate_detection"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_conds_3.tc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_conds_3.tc new file mode 100644 index 00000000..4334de50 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_conds_3.tc @@ -0,0 +1 @@ +expect 1 {"correlation_name": "Subrule_AutoElevate_detection"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_conds_4.tc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_conds_4.tc new file mode 100644 index 00000000..390416da --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_conds_4.tc @@ -0,0 +1 @@ +expect 1 {"_rule": "Subrule_AutoElevate_detection", "action": "start", "alert.context": "PID_1264_start_process_wusa.exe_with_TokenElevationTypeLimited_then_PID_1264_start_process_wusa.exe_with_TokenElevationTypeFull", "alert.key": "TokenElevationTypeLimited->TokenElevationTypeFull", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Elevation Control Mechanism", "correlation_name": "Subrule_AutoElevate_detection", "correlation_type": "event", "count": 1, "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "low", "incident.aggregation.key": "Subrule_AutoElevate_detection|iewin7|c:\\windows\\system32\\wusa.exe", "incident.aggregation.timeout": 3600, "incident.category": "Undefined", "incident.severity": "low", "normalized": true, "object": "process", "object.account.domain": "iewin7", "object.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "object.account.name": "ieuser", "object.account.privileges": "TokenElevationTypeLimited", "object.account.session_id": "79717", "object.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "object.process.id": "1576", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "C:\\Windows\\System32\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/i18n/i18n_en.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/i18n/i18n_en.yaml new file mode 100644 index 00000000..6b46ee29 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/i18n/i18n_en.yaml @@ -0,0 +1,4 @@ +Description: 'UAC bypass was detected via AccessToken manipulation' +EventDescriptions: + - LocalizationId: 'corrname_UAC_bypass_via_AccessToken_manipulation' + EventDescription: 'Process {object.process.name} started by process {subject.process.name} with AutoElevation flag behalf of the user {object.account.domain}\{object.account.name} at host {event_src.host}' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/i18n/i18n_ru.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/i18n/i18n_ru.yaml new file mode 100644 index 00000000..10db0a5d --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/i18n/i18n_ru.yaml @@ -0,0 +1,4 @@ +Description: 'Обнаружен обход UAC путем манипуляции с токенами доступа (Access Tokens)' +EventDescriptions: + - LocalizationId: 'corrname_UAC_bypass_via_AccessToken_manipulation' + EventDescription: 'Процесс {object.process.name} запущен процессом {subject.process.name} с автоматическим повышением привилегий от имени пользователя {object.account.domain}\{object.account.name} на хосте {event_src.host}' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/metainfo.yaml new file mode 100644 index 00000000..1359a095 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/metainfo.yaml @@ -0,0 +1,26 @@ +ObjectId: LOC-CR-193475549 +ContentAutoName: UAC_bypass_via_AccessToken_manipulation +ExpertContext: + Created: 26.06.2023 + Updated: 25.07.2023 + KnowledgeHolders: + - driverenok + Usecases: + - Атакующие могут обходить UAC путем манипуляции токенами доступа (Access Tokens) + References: + - https://attack.mitre.org/techniques/T1548/002/ + DataSources: + - Provider: Microsoft-Windows-Security-Auditing + EventID: + - 4688 + - Provider: Microsoft-Windows-Sysmon + EventID: + - 1 +ContentRelations: + Implements: + ATTACK: + privilege-escalation: + - T1548.002 +EventDescriptions: + - Criteria: correlation_name = "UAC_bypass_via_AccessToken_manipulation" + LocalizationId: corrname_UAC_bypass_via_AccessToken_manipulation diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/rule.co b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/rule.co new file mode 100644 index 00000000..3fc838a9 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/rule.co @@ -0,0 +1,139 @@ +# Emulate: +# > git clone https://github.com/rootm0s/WinPwnage.git and install it +# > python .\main.py --use uac --id 11 --payload c:\\windows\\system32\\cmd.exe + +# How it works: +#cmd.exe (PID: 0xa18, SubjectName: Администратор, TokenElevationTypeLimited, LogonId: 0x3bc93) +#└── py.exe(PID: 0x988, SubjectName: Администратор, TokenElevationTypeLimited, LogonId: 0x3bc93) +# └── python.exe (PID: 0x944, SubjectName: Администратор, TokenElevationTypeLimited, LogonId: 0x3bc93) +# ├── wusa.exe (PID: 0x548, SubjectName: Администратор, TokenElevationTypeLimited, LogonId: 0x3bc93) +# │ ---> ProcessTerminate(wusa.exe, EventId: 4689, PID: 0x548, ExitStatus: 0xc000042c - STATUS_ELEVATION _REQUIRED) +# ├── wusa.exe (PID: 0xae0, SubjectName: WIN7-HACK$, TokenElevationTypeFull, LogonId: 0x3e7) +# │ ---> hToken = NtOpenProcessToken (ProcessName: wusa.exe, DesiredAccess: 0x02000000) +# │ ---> ProcessTerminate(EventId: 4689, wusa.exe, PID: 0xae0, ExitStatus: 0xffffffff) +# │ ---> newToken = DuplicateTokenEx (hToken, DesiredAccess: TOKEN_ALL_ACCESS) +# │ ---> ImpersonateLoggedOnUser(newToken) +# │ ---> CreteProcessWithToken(u"aaa", u"bbb", u"ccc", LOGON_NETCREDENTIALS_ONLY, EventId: 4624, LogonType: 9, SubjectName = TargetName, SubjectLogonId != TargetLogonId, LogonProcessName: seclogo) +# └── cmd.exe (PID: 0xb24, SubjectName: WIN7-HACK$, TokenElevationTypeDefault, LogonId: 0x3e7) + +event AutoElevate_Detect: + key: + event_src.host, subject.account.session_id, object.process.parent.id + filter { + correlation_name == "Subrule_AutoElevate_detection" + } + +event Process_Start: + key: + event_src.host, subject.account.session_id, object.process.parent.id + filter { + filter::NotFromCorrelator() + and filter::ProcessStart_Windows_any() and + in_list(["tokenelevationtypefull", "tokenelevationtypedefault"], lower(subject.account.privileges)) + } + +rule UAC_bypass_via_AccessToken_manipulation: (AutoElevate_Detect -> Process_Start with different object.process.name) timer 10s + on AutoElevate_Detect { + $subject = "account" + + $subject.process.id = object.process.id + $subject.process.name = object.process.name + $subject.process.path = object.process.path + $subject.process.fullpath = object.process.fullpath + $subject.process.hash = object.process.hash + $subject.process.hash.md5 = object.process.hash.md5 + $subject.process.hash.sha1 = object.process.hash.sha1 + $subject.process.hash.sha256 = object.process.hash.sha256 + $subject.process.version = object.process.version + $subject.process.cmdline = object.process.cmdline + $subject.process.guid = object.process.guid + $subject.process.meta = object.process.meta + $subject.process.original_name = object.process.original_name + $subject.process.cwd = object.process.cwd + $subject.process.chain = object.process.chain + + $subject.process.parent.id = object.process.parent.id + $subject.process.parent.name = object.process.parent.name + $subject.process.parent.path = object.process.parent.path + $subject.process.parent.fullpath = object.process.parent.fullpath + $subject.process.parent.guid = object.process.parent.guid + $subject.process.parent.cmdline = object.process.parent.cmdline + + $action = "escalate" + + $object = "account" + + $object.account.id = object.account.id + $object.account.name = object.account.name + $object.account.domain = object.account.domain + $object.account.fullname = object.account.fullname + $object.account.session_id = object.account.session_id + $object.account.privileges = object.account.privileges + + $status = "success" + + $alert.key = object.account.privileges + $alert.context = "PID_" + object.process.parent.id + "_with_" + object.account.privileges + } + on Process_Start { + $subject.account.id = subject.account.id + $subject.account.name = subject.account.name + $subject.account.domain = subject.account.domain + $subject.account.fullname = subject.account.fullname + $subject.account.session_id = subject.account.session_id + $subject.account.privileges = subject.account.privileges + + $object.process.id = object.process.id + $object.process.name = object.process.name + $object.process.path = object.process.path + $object.process.fullpath = object.process.fullpath + $object.process.hash = object.process.hash + $object.process.hash.md5 = object.process.hash.md5 + $object.process.hash.sha1 = object.process.hash.sha1 + $object.process.hash.sha256 = object.process.hash.sha256 + $object.process.version = object.process.version + $object.process.cmdline = object.process.cmdline + $object.process.guid = object.process.guid + $object.process.meta = object.process.meta + $object.process.original_name = object.process.original_name + $object.process.cwd = object.process.cwd + $object.process.chain = object.process.chain + + $object.process.parent.id = object.process.parent.id + $object.process.parent.name = object.process.parent.name + $object.process.parent.path = object.process.parent.path + $object.process.parent.fullpath = object.process.parent.fullpath + $object.process.parent.guid = object.process.parent.guid + $object.process.parent.cmdline = object.process.parent.cmdline + + $event_src.ip = event_src.ip + $event_src.hostname = event_src.hostname + $event_src.fqdn = event_src.fqdn + $event_src.host = event_src.host + $event_src.asset = event_src.asset + $event_src.vendor = event_src.vendor + $event_src.title = event_src.title + $event_src.subsys = event_src.subsys + $event_src.rule = event_src.rule + + $alert.key = $alert.key + "->" + subject.account.privileges + $alert.context = $alert.context + "_start_process_" + object.process.name + "_with_" + subject.account.privileges + "_via_" + $subject.process.name + } + +emit { + $correlation_type = "incident" + + $importance = "high" + + $category.generic = "Attack" + $category.high = "Privilege Escalation" + $category.low = "Abuse Elevation Control Mechanism: Bypass User Account Control" + + $incident.aggregation.key = join([$correlation_name, lower($event_src.host), lower($subject.account.id)], "|") + $incident.aggregation.timeout = 2h + + $incident.severity = $importance + + $incident.category = "Undefined" + +} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/raw_events_1.json b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/raw_events_1.json new file mode 100644 index 00000000..da5c3ed5 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/raw_events_1.json @@ -0,0 +1,4 @@ +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-20T15:36:08.0268449Z\"},\"EventRecordID\":\"1676626\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"48\"},\"Channel\":\"Security\",\"Computer\":\"win7-hack.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3800063338-4262557262-2801230003-500\"},{\"Name\":\"SubjectUserName\",\"text\":\"Администратор\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3bc93\"},{\"Name\":\"NewProcessId\",\"text\":\"0x548\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x944\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\System32\\\\wusa.exe\\\"\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-22T19:08:06.487Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"160e9a36-942b-464d-afeb-580ccdcc4b66"} +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4689\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"13313\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-20T15:36:08.0424703Z\"},\"EventRecordID\":\"1676627\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"44\"},\"Channel\":\"Security\",\"Computer\":\"win7-hack.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3800063338-4262557262-2801230003-500\"},{\"Name\":\"SubjectUserName\",\"text\":\"Администратор\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3bc93\"},{\"Name\":\"Status\",\"text\":\"0xc000042c\"},{\"Name\":\"ProcessId\",\"text\":\"0x548\"},{\"Name\":\"ProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-22T19:08:06.489Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"3d36ab5b-d2f1-49a9-95f5-e28e35834b64"} +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-20T15:36:08.4643561Z\"},\"EventRecordID\":\"1676639\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"44\"},\"Channel\":\"Security\",\"Computer\":\"win7-hack.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"WIN7-HACK$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0xae0\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1937\"},{\"Name\":\"ProcessId\",\"text\":\"0x944\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\System32\\\\wusa.exe\\\"\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-22T19:08:06.490Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"70ef4f25-dc12-4038-b382-80a6eae212d0"} +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-20T15:36:08.5268577Z\"},\"EventRecordID\":\"1676642\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"44\"},\"Channel\":\"Security\",\"Computer\":\"win7-hack.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"WIN7-HACK$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0xb24\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\regedit.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1936\"},{\"Name\":\"ProcessId\",\"text\":\"0x944\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"c:\\\\windows\\\\regedit.exe\\\"\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-26T15:07:01.155Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"9ff5ba06-567e-43fe-bde9-c3416dde61cf"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/test_1.sc new file mode 100644 index 00000000..ec00fb9c --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/test_1.sc @@ -0,0 +1,7 @@ +# Здесь укажи какие нормализованные события (одно или несколько) ты подаёшь на вход правилу корреляции. +# События отделяются друг от друга символом новой строки. Каждое их них должно быть записано в строку. +{"_rule": "Subrule_AutoElevate_detection", "action": "start", "alert.context": "PID_2372_start_process_wusa.exe_with_TokenElevationTypeLimited_then_PID_2372_start_process_wusa.exe_with_TokenElevationTypeFull", "alert.key": "TokenElevationTypeLimited->TokenElevationTypeFull", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Elevation Control Mechanism", "correlation_name": "Subrule_AutoElevate_detection", "correlation_type": "event", "count": 1, "event_src.fqdn": "win7-hack.stand2008.local", "event_src.host": "win7-hack.stand2008.local", "event_src.hostname": "win7-hack", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "low", "incident.aggregation.key": "Subrule_AutoElevate_detection|win7-hack.stand2008.local|c:\\windows\\system32\\wusa.exe", "incident.aggregation.timeout": 3600, "incident.category": "Undefined", "incident.severity": "low", "normalized": true, "object": "process", "object.account.domain": "stand2008", "object.account.id": "S-1-5-21-3800063338-4262557262-2801230003-500", "object.account.name": "администратор", "object.account.privileges": "TokenElevationTypeLimited", "object.account.session_id": "244883", "object.process.cmdline": "\"C:\\Windows\\System32\\wusa.exe\"", "object.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "object.process.id": "1352", "object.process.name": "wusa.exe", "object.process.parent.id": "2372", "object.process.path": "C:\\Windows\\System32\\", "object.state": "0xc000042c", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "reason": "STATUS_ELEVATION_REQUIRED", "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-18", "subject.account.name": "win7-hack$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999", "time": "2023-06-20T15:36:05.526Z"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-20T15:36:08.5268577Z\"},\"EventRecordID\":\"1676642\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"44\"},\"Channel\":\"Security\",\"Computer\":\"win7-hack.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"WIN7-HACK$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0xb24\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\regedit.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1936\"},{\"Name\":\"ProcessId\",\"text\":\"0x944\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"c:\\\\windows\\\\regedit.exe\\\"\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "win7-hack.stand2008.local", "event_src.host": "win7-hack.stand2008.local", "event_src.hostname": "win7-hack", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "stand2008", "object.account.id": "S-1-5-18", "object.account.name": "win7-hack$", "object.account.session_id": "999", "object.process.cmdline": "\"c:\\windows\\regedit.exe\"", "object.process.fullpath": "c:\\windows\\regedit.exe", "object.process.id": "2852", "object.process.name": "regedit.exe", "object.process.parent.id": "2372", "object.process.path": "c:\\windows\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-26T15:07:01.155Z", "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-18", "subject.account.name": "win7-hack$", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "999", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-06-20T15:36:08.526Z", "type": "raw", "uuid": "9ff5ba06-567e-43fe-bde9-c3416dde61cf"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"_rule": "UAC_bypass_via_AccessToken_manipulation", "action": "escalate", "alert.context": "PID_2372_with_TokenElevationTypeLimited_start_process_regedit.exe_with_TokenElevationTypeDefault_via_wusa.exe", "alert.key": "TokenElevationTypeLimited->TokenElevationTypeDefault", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Abuse Elevation Control Mechanism: Bypass User Account Control", "correlation_name": "UAC_bypass_via_AccessToken_manipulation", "correlation_type": "incident", "count": 1, "event_src.fqdn": "win7-hack.stand2008.local", "event_src.host": "win7-hack.stand2008.local", "event_src.hostname": "win7-hack", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "high", "incident.aggregation.key": "UAC_bypass_via_AccessToken_manipulation|win7-hack.stand2008.local|s-1-5-18", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "normalized": true, "object": "account", "object.account.domain": "stand2008", "object.account.id": "S-1-5-21-3800063338-4262557262-2801230003-500", "object.account.name": "администратор", "object.account.privileges": "TokenElevationTypeLimited", "object.account.session_id": "244883", "object.process.cmdline": "\"c:\\windows\\regedit.exe\"", "object.process.fullpath": "c:\\windows\\regedit.exe", "object.process.id": "2852", "object.process.name": "regedit.exe", "object.process.parent.id": "2372", "object.process.path": "c:\\windows\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-18", "subject.account.name": "win7-hack$", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "999", "subject.process.cmdline": "\"C:\\Windows\\System32\\wusa.exe\"", "subject.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "subject.process.id": "1352", "subject.process.name": "wusa.exe", "subject.process.parent.id": "2372", "subject.process.path": "C:\\Windows\\System32\\"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/test_2.sc new file mode 100644 index 00000000..6d9a4e6a --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/test_2.sc @@ -0,0 +1,7 @@ +# Здесь укажи какие нормализованные события (одно или несколько) ты подаёшь на вход правилу корреляции. +# События отделяются друг от друга символом новой строки. Каждое их них должно быть записано в строку. +{"_rule": "Subrule_AutoElevate_detection", "action": "start", "alert.context": "PID_1264_start_process_wusa.exe_with_TokenElevationTypeLimited_then_PID_1264_start_process_wusa.exe_with_TokenElevationTypeFull", "alert.key": "TokenElevationTypeLimited->TokenElevationTypeFull", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Elevation Control Mechanism", "correlation_name": "Subrule_AutoElevate_detection", "correlation_type": "event", "count": 1, "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "low", "incident.aggregation.key": "Subrule_AutoElevate_detection|iewin7|c:\\windows\\system32\\wusa.exe", "incident.aggregation.timeout": 3600, "incident.category": "Undefined", "incident.severity": "low", "normalized": true, "object": "process", "object.account.domain": "iewin7", "object.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "object.account.name": "ieuser", "object.account.privileges": "TokenElevationTypeLimited", "object.account.session_id": "79717", "object.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "object.process.id": "1576", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "C:\\Windows\\System32\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999", "time": "2019-05-11T17:10:10.889Z"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8893206Z\"},\"EventRecordID\":\"18207\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0xc74\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1936\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.session_id": "999", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.id": "3188", "object.process.name": "cmd.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-26T15:49:02.732Z", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "999", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:10:11.889Z", "type": "raw", "uuid": "047296b7-4a61-4d22-9edf-9824f223cce1"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"_rule": "UAC_bypass_via_AccessToken_manipulation", "action": "escalate", "alert.context": "PID_1264_with_TokenElevationTypeLimited_start_process_cmd.exe_with_TokenElevationTypeDefault_via_wusa.exe", "alert.key": "TokenElevationTypeLimited->TokenElevationTypeDefault", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Abuse Elevation Control Mechanism: Bypass User Account Control", "correlation_name": "UAC_bypass_via_AccessToken_manipulation", "correlation_type": "incident", "count": 1, "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "high", "incident.aggregation.key": "UAC_bypass_via_AccessToken_manipulation|iewin7|s-1-5-18", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "normalized": true, "object": "account", "object.account.domain": "iewin7", "object.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "object.account.name": "ieuser", "object.account.privileges": "TokenElevationTypeLimited", "object.account.session_id": "79717", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.id": "3188", "object.process.name": "cmd.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "999", "subject.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "subject.process.id": "1576", "subject.process.name": "wusa.exe", "subject.process.parent.id": "1264", "subject.process.path": "C:\\Windows\\System32\\"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/test_conds_1.tc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/test_conds_1.tc new file mode 100644 index 00000000..b7bd0cc0 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/test_conds_1.tc @@ -0,0 +1 @@ +expect 1 {"_rule": "UAC_bypass_via_AccessToken_manipulation", "action": "escalate", "alert.context": "PID_2372_with_TokenElevationTypeLimited_start_process_regedit.exe_with_TokenElevationTypeDefault_via_wusa.exe", "alert.key": "TokenElevationTypeLimited->TokenElevationTypeDefault", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Abuse Elevation Control Mechanism: Bypass User Account Control", "correlation_name": "UAC_bypass_via_AccessToken_manipulation", "correlation_type": "incident", "count": 1, "event_src.fqdn": "win7-hack.stand2008.local", "event_src.host": "win7-hack.stand2008.local", "event_src.hostname": "win7-hack", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "high", "incident.aggregation.key": "UAC_bypass_via_AccessToken_manipulation|win7-hack.stand2008.local|s-1-5-18", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "normalized": true, "object": "account", "object.account.domain": "stand2008", "object.account.id": "S-1-5-21-3800063338-4262557262-2801230003-500", "object.account.name": "администратор", "object.account.privileges": "TokenElevationTypeLimited", "object.account.session_id": "244883", "object.process.cmdline": "\"c:\\windows\\regedit.exe\"", "object.process.fullpath": "C:\\Windows\\regedit.exe", "object.process.id": "2852", "object.process.name": "regedit.exe", "object.process.parent.id": "2372", "object.process.path": "C:\\Windows\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-18", "subject.account.name": "win7-hack$", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "999", "subject.process.cmdline": "\"C:\\Windows\\System32\\wusa.exe\"", "subject.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "subject.process.id": "1352", "subject.process.name": "wusa.exe", "subject.process.parent.id": "2372", "subject.process.path": "C:\\Windows\\System32\\"} \ No newline at end of file