From 9db0dc554a5defa1b838cc5eb8dd88ea00515f42 Mon Sep 17 00:00:00 2001 From: Andru Date: Mon, 19 Jun 2023 17:47:17 +0300 Subject: [PATCH 1/9] Commit after subrule Subrule_CreateProcess_with_DifferentTokens created and tested --- .../i18n/i18n_en.yaml | 4 + .../i18n/i18n_ru.yaml | 4 + .../metainfo.yaml | 28 +++++ .../rule.co | 103 ++++++++++++++++++ .../tests/raw_events_1.json | 2 + .../tests/raw_events_2.json | 0 .../tests/test_1.sc | 6 + .../tests/test_conds_1.tc | 1 + .../tests/test_conds_2.tc | 5 + 9 files changed, 153 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/i18n/i18n_en.yaml create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/i18n/i18n_ru.yaml create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/metainfo.yaml create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/rule.co create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/raw_events_1.json create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/raw_events_2.json create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/test_1.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/test_conds_1.tc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/test_conds_2.tc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/i18n/i18n_en.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/i18n/i18n_en.yaml new file mode 100644 index 00000000..58028cb3 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/i18n/i18n_en.yaml @@ -0,0 +1,4 @@ +Description: 'Access Token Manipulation detect' +EventDescriptions: + - LocalizationId: 'corrname_Subrule_CreateProcess_with_DifferentTokens' + EventDescription: 'Process with PID {object.process.parent.id} escalate own privileges:{alert.key} at host {event_src.host}' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/i18n/i18n_ru.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/i18n/i18n_ru.yaml new file mode 100644 index 00000000..5c2f4d6d --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/i18n/i18n_ru.yaml @@ -0,0 +1,4 @@ +Description: 'Обнаружено повышение привилегии путем манипуляций с Access Tokens' +EventDescriptions: + - LocalizationId: 'corrname_Subrule_CreateProcess_with_DifferentTokens' + EventDescription: 'Процесс с идентификатором {object.process.parent.id} повысил свои привилегии: {alert.key} на хосте {event_src.host}' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/metainfo.yaml new file mode 100644 index 00000000..ec5f66f6 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/metainfo.yaml @@ -0,0 +1,28 @@ +ObjectId: LOC-CR-206774439 +ContentAutoName: Subrule_CreateProcess_with_DifferentTokens +ExpertContext: + Created: 19.06.2023 + Updated: 19.06.2023 + KnowledgeHolders: + - driverenok + Usecases: + - Атакующие могут повышать привилегии путем манипуляций с Access Tokens + References: + - https://attack.mitre.org/techniques/T1134/ + DataSources: + - Provider: Microsoft-Windows-Security-Auditing + EventID: + - 4688 + - Provider: Microsoft-Windows-Sysmon + EventID: + - 1 +ContentRelations: + Implements: + ATTACK: + privilege-escalation: + - T1134 + defense-evasion: + - T1134 +EventDescriptions: + - Criteria: correlation_name = "Subrule_CreateProcess_with_DifferentTokens" + LocalizationId: corrname_Subrule_CreateProcess_with_DifferentTokens diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/rule.co b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/rule.co new file mode 100644 index 00000000..d75dd2f3 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/rule.co @@ -0,0 +1,103 @@ +event Process_Start_with_LimitedToken: + key: + event_src.host, object.process.parent.id + filter { + filter::NotFromCorrelator() and + filter::ProcessStart_Windows_any() and + subject.account.privileges == "TokenElevationTypeLimited" + } + +event Process_Start_with_FullToken: + key: + event_src.host, object.process.parent.id + filter { + filter::NotFromCorrelator() and + filter::ProcessStart_Windows_any() and + in_list(["TokenElevationTypeFull", "TokenElevationTypeDefault"], subject.account.privileges) + } + +rule Subrule_CreateProcess_with_DifferentTokens: Process_Start_with_LimitedToken and Process_Start_with_FullToken with different subject.account.session_id + + init { + $labels = "w_auto|CheckWL_Process_Creation" + } + + on Process_Start_with_LimitedToken { + $alert.key = subject.account.privileges + $alert.context = "PID_" + object.process.parent.id + "_start_process_" + object.process.name + "_with_" + subject.account.privileges + } + + on Process_Start_with_FullToken { + $subject.account.id = subject.account.id + $subject.account.name = subject.account.name + $subject.account.domain = subject.account.domain + $subject.account.fullname = subject.account.fullname + $subject.account.session_id = subject.account.session_id + $subject.account.privileges = subject.account.privileges + + $object.account.id = object.account.id + $object.account.session_id = object.account.session_id + $object.account.name = object.account.name + $object.account.domain = object.account.domain + $object.account.fullname = object.account.fullname + $object.account.privileges = subject.account.privileges + + $object.process.id = object.process.id + $object.process.name = object.process.name + $object.process.path = object.process.path + $object.process.fullpath = object.process.fullpath + $object.process.hash = object.process.hash + $object.process.hash.md5 = object.process.hash.md5 + $object.process.hash.sha1 = object.process.hash.sha1 + $object.process.hash.sha256 = object.process.hash.sha256 + $object.process.version = object.process.version + $object.process.cmdline = object.process.cmdline + $object.process.guid = object.process.guid + $object.process.meta = object.process.meta + $object.process.original_name = object.process.original_name + $object.process.cwd = object.process.cwd + $object.process.chain = object.process.chain + + $object.process.parent.id = object.process.parent.id + $object.process.parent.name = object.process.parent.name + $object.process.parent.path = object.process.parent.path + $object.process.parent.fullpath = object.process.parent.fullpath + $object.process.parent.guid = object.process.parent.guid + $object.process.parent.cmdline = object.process.parent.cmdline + + $event_src.ip = event_src.ip + $event_src.hostname = event_src.hostname + $event_src.fqdn = event_src.fqdn + $event_src.host = event_src.host + $event_src.asset = event_src.asset + $event_src.vendor = event_src.vendor + $event_src.title = event_src.title + $event_src.subsys = event_src.subsys + $event_src.rule = event_src.rule + + $alert.key = $alert.key + "->" + subject.account.privileges + $alert.context = $alert.context + "_then_PID_" + object.process.parent.id + "_start_process_" + object.process.name + "_with_" + subject.account.privileges + } + +emit { + $correlation_type = "incident" + + $subject = "account" + $action = "escalate" + $object = "account" + $status = "success" + + $importance = "medium" + + $category.generic = "Attack" + $category.high = "Privilege Escalation" + $category.low = "Access Token Manipulation" + + $incident.aggregation.key = join([$correlation_name, lower($event_src.host), lower($object.process.parent.id)], "|") + $incident.aggregation.timeout = 2h + + $incident.severity = $importance + + $incident.category = "Undefined" + +} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/raw_events_1.json b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/raw_events_1.json new file mode 100644 index 00000000..29400a93 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/raw_events_1.json @@ -0,0 +1,2 @@ +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.6080706Z\"},\"EventRecordID\":\"18197\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x13765\"},{\"Name\":\"NewProcessId\",\"text\":\"0x628\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-19T10:56:53.855Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"8cb235f6-8776-44b3-81c5-638ffee69b05"} +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8268206Z\"},\"EventRecordID\":\"18205\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0x5b0\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1937\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-19T10:56:53.857Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"aa7baeb2-7f96-4a40-990f-27fe69a453d5"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/raw_events_2.json b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/raw_events_2.json new file mode 100644 index 00000000..e69de29b diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/test_1.sc new file mode 100644 index 00000000..6aca5adc --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/test_1.sc @@ -0,0 +1,6 @@ +# Здесь укажи какие нормализованные события (одно или несколько) ты подаёшь на вход правилу корреляции. +# События отделяются друг от друга символом новой строки. Каждое их них должно быть записано в строку. +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.6080706Z\"},\"EventRecordID\":\"18197\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x13765\"},{\"Name\":\"NewProcessId\",\"text\":\"0x628\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "iewin7", "object.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "object.account.name": "ieuser", "object.account.session_id": "79717", "object.process.fullpath": "c:\\windows\\system32\\wusa.exe", "object.process.id": "1576", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-19T10:56:53.855Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "subject.account.name": "ieuser", "subject.account.privileges": "TokenElevationTypeLimited", "subject.account.session_id": "79717", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:10:10.608Z", "type": "raw", "uuid": "8cb235f6-8776-44b3-81c5-638ffee69b05"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8268206Z\"},\"EventRecordID\":\"18205\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0x5b0\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1937\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.session_id": "999", "object.process.fullpath": "c:\\windows\\system32\\wusa.exe", "object.process.id": "1456", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-19T10:56:53.857Z", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:10:10.826Z", "type": "raw", "uuid": "aa7baeb2-7f96-4a40-990f-27fe69a453d5"} + +expect 1 {"_rule": "Subrule_CreateProcess_with_DifferentTokens", "action": "escalate", "alert.context": "PID_1264_start_process_wusa.exe_with_TokenElevationTypeLimited_then_PID_1264_start_process_wusa.exe_with_TokenElevationTypeFull", "alert.key": "TokenElevationTypeLimited->TokenElevationTypeFull", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Access Token Manipulation", "correlation_name": "Subrule_CreateProcess_with_DifferentTokens", "correlation_type": "incident", "count": 1, "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "medium", "incident.aggregation.key": "Subrule_CreateProcess_with_DifferentTokens|iewin7|1264", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "normalized": true, "object": "account", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.privileges": "TokenElevationTypeFull", "object.account.session_id": "999", "object.process.fullpath": "c:\\windows\\system32\\wusa.exe", "object.process.id": "1456", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/test_conds_1.tc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/test_conds_1.tc new file mode 100644 index 00000000..21a713ad --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/test_conds_1.tc @@ -0,0 +1 @@ +expect 1 {"_rule": "Subrule_CreateProcess_with_DifferentTokens", "action": "escalate", "alert.context": "PID_1264_start_process_wusa.exe_with_TokenElevationTypeLimited_and_PID_1264_start_process_wusa.exe_with_TokenElevationTypeFull", "alert.key": "TokenElevationTypeLimited->TokenElevationTypeFull", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Access Token Manipulation", "correlation_name": "Subrule_CreateProcess_with_DifferentTokens", "correlation_type": "incident", "count": 1, "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "medium", "incident.aggregation.key": "Subrule_CreateProcess_with_DifferentTokens|iewin7|1264", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "normalized": true, "object": "account", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.session_id": "999", "object.process.fullpath": "c:\\windows\\system32\\wusa.exe", "object.process.id": "1456", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/test_conds_2.tc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/test_conds_2.tc new file mode 100644 index 00000000..828015e4 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/test_conds_2.tc @@ -0,0 +1,5 @@ +# Вайтлистинг +table_list default +table_list {"Common_whitelist_auto": [{"rule": "Subrule_CreateProcess_with_DifferentTokens", "specific_value": ""}]} + +expect not {"correlation_name": "Subrule_CreateProcess_with_DifferentTokens"} From b5da667070d3a96553c156c69ba309f63261c93f Mon Sep 17 00:00:00 2001 From: Andru Date: Mon, 19 Jun 2023 19:10:35 +0300 Subject: [PATCH 2/9] Updated subrule Subrule_CreateProcess_with_DifferentTokens --- .../i18n/i18n_en.yaml | 4 ++++ .../i18n/i18n_ru.yaml | 4 ++++ .../metainfo.yaml | 6 +++--- .../rule.co | 6 +++--- .../tests/raw_events_1.json | 4 ++-- .../tests/raw_events_2.json | 2 ++ .../tests/raw_events_3.json | 3 +++ .../tests/test_1.sc | 6 +++--- .../tests/test_2.sc | 8 ++++++++ .../tests/test_3.sc | 9 +++++++++ .../tests/test_conds_1.tc | 1 + .../tests/test_conds_2.tc | 1 + .../tests/test_conds_3.tc | 1 + .../i18n/i18n_en.yaml | 4 ---- .../i18n/i18n_ru.yaml | 4 ---- .../tests/raw_events_2.json | 0 .../tests/test_conds_1.tc | 1 - .../tests/test_conds_2.tc | 5 ----- 18 files changed, 44 insertions(+), 25 deletions(-) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/i18n/i18n_en.yaml create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/i18n/i18n_ru.yaml rename packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/{Subrule_CreateProcess_with_DifferentTokens => Subrule_CreateChildProcess_with_DifferentTokens}/metainfo.yaml (75%) rename packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/{Subrule_CreateProcess_with_DifferentTokens => Subrule_CreateChildProcess_with_DifferentTokens}/rule.co (94%) rename packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/{Subrule_CreateProcess_with_DifferentTokens => Subrule_CreateChildProcess_with_DifferentTokens}/tests/raw_events_1.json (90%) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/raw_events_2.json create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/raw_events_3.json rename packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/{Subrule_CreateProcess_with_DifferentTokens => Subrule_CreateChildProcess_with_DifferentTokens}/tests/test_1.sc (72%) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_2.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_3.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_conds_1.tc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_conds_2.tc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_conds_3.tc delete mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/i18n/i18n_en.yaml delete mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/i18n/i18n_ru.yaml delete mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/raw_events_2.json delete mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/test_conds_1.tc delete mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/test_conds_2.tc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/i18n/i18n_en.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/i18n/i18n_en.yaml new file mode 100644 index 00000000..a91a9421 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/i18n/i18n_en.yaml @@ -0,0 +1,4 @@ +Description: 'The launch of child processes with different Access Tokens was detected' +EventDescriptions: + - LocalizationId: 'corrname_Subrule_CreateChildProcess_with_DifferentTokens' + EventDescription: 'Process with PID {object.process.parent.id} escalate own privileges:{alert.key} at host {event_src.host}' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/i18n/i18n_ru.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/i18n/i18n_ru.yaml new file mode 100644 index 00000000..6ff3a74f --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/i18n/i18n_ru.yaml @@ -0,0 +1,4 @@ +Description: 'Обнаружен запуск дочерних процессов с различными маркерами доступа (Access Tokens)' +EventDescriptions: + - LocalizationId: 'corrname_Subrule_CreateChildProcess_with_DifferentTokens' + EventDescription: 'Процесс с идентификатором {object.process.parent.id} повысил свои привилегии: {alert.key} на хосте {event_src.host}' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/metainfo.yaml similarity index 75% rename from packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/metainfo.yaml rename to packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/metainfo.yaml index ec5f66f6..c87904be 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/metainfo.yaml @@ -1,5 +1,5 @@ ObjectId: LOC-CR-206774439 -ContentAutoName: Subrule_CreateProcess_with_DifferentTokens +ContentAutoName: Subrule_CreateChildProcess_with_DifferentTokens ExpertContext: Created: 19.06.2023 Updated: 19.06.2023 @@ -24,5 +24,5 @@ ContentRelations: defense-evasion: - T1134 EventDescriptions: - - Criteria: correlation_name = "Subrule_CreateProcess_with_DifferentTokens" - LocalizationId: corrname_Subrule_CreateProcess_with_DifferentTokens + - Criteria: correlation_name = "Subrule_CreateChildProcess_with_DifferentTokens" + LocalizationId: corrname_Subrule_CreateChildProcess_with_DifferentTokens diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/rule.co b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/rule.co similarity index 94% rename from packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/rule.co rename to packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/rule.co index d75dd2f3..aa28aaea 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/rule.co +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/rule.co @@ -16,10 +16,10 @@ event Process_Start_with_FullToken: in_list(["TokenElevationTypeFull", "TokenElevationTypeDefault"], subject.account.privileges) } -rule Subrule_CreateProcess_with_DifferentTokens: Process_Start_with_LimitedToken and Process_Start_with_FullToken with different subject.account.session_id +rule Subrule_CreateChildProcess_with_DifferentTokens: Process_Start_with_LimitedToken and Process_Start_with_FullToken with different subject.account.session_id init { - $labels = "w_auto|CheckWL_Process_Creation" + $labels = "w_auto" } on Process_Start_with_LimitedToken { @@ -100,4 +100,4 @@ emit { $incident.category = "Undefined" -} +} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/raw_events_1.json b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/raw_events_1.json similarity index 90% rename from packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/raw_events_1.json rename to packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/raw_events_1.json index 29400a93..aa41a4bd 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/raw_events_1.json +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/raw_events_1.json @@ -1,2 +1,2 @@ -{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.6080706Z\"},\"EventRecordID\":\"18197\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x13765\"},{\"Name\":\"NewProcessId\",\"text\":\"0x628\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-19T10:56:53.855Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"8cb235f6-8776-44b3-81c5-638ffee69b05"} -{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8268206Z\"},\"EventRecordID\":\"18205\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0x5b0\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1937\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-19T10:56:53.857Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"aa7baeb2-7f96-4a40-990f-27fe69a453d5"} +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.6080706Z\"},\"EventRecordID\":\"18197\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x13765\"},{\"Name\":\"NewProcessId\",\"text\":\"0x628\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-19T15:44:16.508Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"3f5255f8-2046-4ccc-8ab0-94241391249d"} +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8268206Z\"},\"EventRecordID\":\"18205\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0x5b0\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1937\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-19T15:47:21.139Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"a7cf27bb-23a3-4f08-bef1-22633514db07"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/raw_events_2.json b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/raw_events_2.json new file mode 100644 index 00000000..20b78620 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/raw_events_2.json @@ -0,0 +1,2 @@ +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.6080706Z\"},\"EventRecordID\":\"18197\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x13765\"},{\"Name\":\"NewProcessId\",\"text\":\"0x628\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-19T15:44:16.508Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"3f5255f8-2046-4ccc-8ab0-94241391249d"} +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8893206Z\"},\"EventRecordID\":\"18207\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0xc74\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1936\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-19T15:44:56.726Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"4b969569-cc44-4df3-a0f2-cc9d3aab72d5"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/raw_events_3.json b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/raw_events_3.json new file mode 100644 index 00000000..9a6dadf9 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/raw_events_3.json @@ -0,0 +1,3 @@ +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.6080706Z\"},\"EventRecordID\":\"18197\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x13765\"},{\"Name\":\"NewProcessId\",\"text\":\"0x628\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-19T15:44:16.508Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"3f5255f8-2046-4ccc-8ab0-94241391249d"} +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8268206Z\"},\"EventRecordID\":\"18205\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0x5b0\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1937\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-19T15:47:21.139Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"a7cf27bb-23a3-4f08-bef1-22633514db07"} +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8893206Z\"},\"EventRecordID\":\"18207\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0xc74\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1936\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-19T15:44:56.726Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"4b969569-cc44-4df3-a0f2-cc9d3aab72d5"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_1.sc similarity index 72% rename from packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/test_1.sc rename to packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_1.sc index 6aca5adc..05e51516 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/test_1.sc +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_1.sc @@ -1,6 +1,6 @@ # Здесь укажи какие нормализованные события (одно или несколько) ты подаёшь на вход правилу корреляции. # События отделяются друг от друга символом новой строки. Каждое их них должно быть записано в строку. -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.6080706Z\"},\"EventRecordID\":\"18197\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x13765\"},{\"Name\":\"NewProcessId\",\"text\":\"0x628\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "iewin7", "object.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "object.account.name": "ieuser", "object.account.session_id": "79717", "object.process.fullpath": "c:\\windows\\system32\\wusa.exe", "object.process.id": "1576", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-19T10:56:53.855Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "subject.account.name": "ieuser", "subject.account.privileges": "TokenElevationTypeLimited", "subject.account.session_id": "79717", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:10:10.608Z", "type": "raw", "uuid": "8cb235f6-8776-44b3-81c5-638ffee69b05"} -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8268206Z\"},\"EventRecordID\":\"18205\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0x5b0\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1937\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.session_id": "999", "object.process.fullpath": "c:\\windows\\system32\\wusa.exe", "object.process.id": "1456", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-19T10:56:53.857Z", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:10:10.826Z", "type": "raw", "uuid": "aa7baeb2-7f96-4a40-990f-27fe69a453d5"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.6080706Z\"},\"EventRecordID\":\"18197\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x13765\"},{\"Name\":\"NewProcessId\",\"text\":\"0x628\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "iewin7", "object.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "object.account.name": "ieuser", "object.account.session_id": "79717", "object.process.fullpath": "c:\\windows\\system32\\wusa.exe", "object.process.id": "1576", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-19T15:44:16.508Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "subject.account.name": "ieuser", "subject.account.privileges": "TokenElevationTypeLimited", "subject.account.session_id": "79717", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:10:10.608Z", "type": "raw", "uuid": "3f5255f8-2046-4ccc-8ab0-94241391249d"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8268206Z\"},\"EventRecordID\":\"18205\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0x5b0\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1937\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.session_id": "999", "object.process.fullpath": "c:\\windows\\system32\\wusa.exe", "object.process.id": "1456", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-19T15:47:21.139Z", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:10:10.826Z", "type": "raw", "uuid": "a7cf27bb-23a3-4f08-bef1-22633514db07"} -expect 1 {"_rule": "Subrule_CreateProcess_with_DifferentTokens", "action": "escalate", "alert.context": "PID_1264_start_process_wusa.exe_with_TokenElevationTypeLimited_then_PID_1264_start_process_wusa.exe_with_TokenElevationTypeFull", "alert.key": "TokenElevationTypeLimited->TokenElevationTypeFull", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Access Token Manipulation", "correlation_name": "Subrule_CreateProcess_with_DifferentTokens", "correlation_type": "incident", "count": 1, "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "medium", "incident.aggregation.key": "Subrule_CreateProcess_with_DifferentTokens|iewin7|1264", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "normalized": true, "object": "account", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.privileges": "TokenElevationTypeFull", "object.account.session_id": "999", "object.process.fullpath": "c:\\windows\\system32\\wusa.exe", "object.process.id": "1456", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999"} +expect 1 {"_rule": "Subrule_CreateChildProcess_with_DifferentTokens", "action": "escalate", "alert.context": "PID_1264_start_process_wusa.exe_with_TokenElevationTypeLimited_then_PID_1264_start_process_wusa.exe_with_TokenElevationTypeFull", "alert.key": "TokenElevationTypeLimited->TokenElevationTypeFull", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Access Token Manipulation", "correlation_name": "Subrule_CreateChildProcess_with_DifferentTokens", "correlation_type": "incident", "count": 1, "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "medium", "incident.aggregation.key": "Subrule_CreateChildProcess_with_DifferentTokens|iewin7|1264", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "normalized": true, "object": "account", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.privileges": "TokenElevationTypeFull", "object.account.session_id": "999", "object.process.fullpath": "c:\\windows\\system32\\wusa.exe", "object.process.id": "1456", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_2.sc new file mode 100644 index 00000000..f3a6f847 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_2.sc @@ -0,0 +1,8 @@ +# Здесь укажи какие нормализованные события (одно или несколько) ты подаёшь на вход правилу корреляции. +# События отделяются друг от друга символом новой строки. Каждое их них должно быть записано в строку. +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.6080706Z\"},\"EventRecordID\":\"18197\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x13765\"},{\"Name\":\"NewProcessId\",\"text\":\"0x628\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "iewin7", "object.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "object.account.name": "ieuser", "object.account.session_id": "79717", "object.process.fullpath": "c:\\windows\\system32\\wusa.exe", "object.process.id": "1576", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-19T15:44:16.508Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "subject.account.name": "ieuser", "subject.account.privileges": "TokenElevationTypeLimited", "subject.account.session_id": "79717", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:10:10.608Z", "type": "raw", "uuid": "3f5255f8-2046-4ccc-8ab0-94241391249d"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8893206Z\"},\"EventRecordID\":\"18207\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0xc74\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1936\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.session_id": "999", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.id": "3188", "object.process.name": "cmd.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-19T15:44:56.726Z", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "999", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:10:10.889Z", "type": "raw", "uuid": "4b969569-cc44-4df3-a0f2-cc9d3aab72d5"} + + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"_rule": "Subrule_CreateChildProcess_with_DifferentTokens", "action": "escalate", "alert.context": "PID_1264_start_process_wusa.exe_with_TokenElevationTypeLimited_then_PID_1264_start_process_cmd.exe_with_TokenElevationTypeDefault", "alert.key": "TokenElevationTypeLimited->TokenElevationTypeDefault", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Access Token Manipulation", "correlation_name": "Subrule_CreateChildProcess_with_DifferentTokens", "correlation_type": "incident", "count": 1, "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "medium", "incident.aggregation.key": "Subrule_CreateChildProcess_with_DifferentTokens|iewin7|1264", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "normalized": true, "object": "account", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.privileges": "TokenElevationTypeDefault", "object.account.session_id": "999", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.id": "3188", "object.process.name": "cmd.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "999"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_3.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_3.sc new file mode 100644 index 00000000..622ad2be --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_3.sc @@ -0,0 +1,9 @@ +# Здесь укажи какие нормализованные события (одно или несколько) ты подаёшь на вход правилу корреляции. +# События отделяются друг от друга символом новой строки. Каждое их них должно быть записано в строку. +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.6080706Z\"},\"EventRecordID\":\"18197\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x13765\"},{\"Name\":\"NewProcessId\",\"text\":\"0x628\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "iewin7", "object.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "object.account.name": "ieuser", "object.account.session_id": "79717", "object.process.fullpath": "c:\\windows\\system32\\wusa.exe", "object.process.id": "1576", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-19T15:44:16.508Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "subject.account.name": "ieuser", "subject.account.privileges": "TokenElevationTypeLimited", "subject.account.session_id": "79717", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:10:10.608Z", "type": "raw", "uuid": "3f5255f8-2046-4ccc-8ab0-94241391249d"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8268206Z\"},\"EventRecordID\":\"18205\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0x5b0\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1937\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.session_id": "999", "object.process.fullpath": "c:\\windows\\system32\\wusa.exe", "object.process.id": "1456", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-19T15:47:21.139Z", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:10:10.826Z", "type": "raw", "uuid": "a7cf27bb-23a3-4f08-bef1-22633514db07"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8893206Z\"},\"EventRecordID\":\"18207\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0xc74\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1936\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.session_id": "999", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.id": "3188", "object.process.name": "cmd.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-19T15:44:56.726Z", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "999", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:10:10.889Z", "type": "raw", "uuid": "4b969569-cc44-4df3-a0f2-cc9d3aab72d5"} + + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"_rule": "Subrule_CreateChildProcess_with_DifferentTokens", "action": "escalate", "alert.context": "PID_1264_start_process_wusa.exe_with_TokenElevationTypeLimited_then_PID_1264_start_process_wusa.exe_with_TokenElevationTypeFull", "alert.key": "TokenElevationTypeLimited->TokenElevationTypeFull", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Access Token Manipulation", "correlation_name": "Subrule_CreateChildProcess_with_DifferentTokens", "correlation_type": "incident", "count": 1, "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "medium", "incident.aggregation.key": "Subrule_CreateChildProcess_with_DifferentTokens|iewin7|1264", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "normalized": true, "object": "account", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.privileges": "TokenElevationTypeFull", "object.account.session_id": "999", "object.process.fullpath": "c:\\windows\\system32\\wusa.exe", "object.process.id": "1456", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_conds_1.tc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_conds_1.tc new file mode 100644 index 00000000..e3ddd034 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_conds_1.tc @@ -0,0 +1 @@ +expect 1 {"correlation_name": "Subrule_CreateChildProcess_with_DifferentTokens"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_conds_2.tc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_conds_2.tc new file mode 100644 index 00000000..e3ddd034 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_conds_2.tc @@ -0,0 +1 @@ +expect 1 {"correlation_name": "Subrule_CreateChildProcess_with_DifferentTokens"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_conds_3.tc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_conds_3.tc new file mode 100644 index 00000000..e3ddd034 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_conds_3.tc @@ -0,0 +1 @@ +expect 1 {"correlation_name": "Subrule_CreateChildProcess_with_DifferentTokens"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/i18n/i18n_en.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/i18n/i18n_en.yaml deleted file mode 100644 index 58028cb3..00000000 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/i18n/i18n_en.yaml +++ /dev/null @@ -1,4 +0,0 @@ -Description: 'Access Token Manipulation detect' -EventDescriptions: - - LocalizationId: 'corrname_Subrule_CreateProcess_with_DifferentTokens' - EventDescription: 'Process with PID {object.process.parent.id} escalate own privileges:{alert.key} at host {event_src.host}' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/i18n/i18n_ru.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/i18n/i18n_ru.yaml deleted file mode 100644 index 5c2f4d6d..00000000 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/i18n/i18n_ru.yaml +++ /dev/null @@ -1,4 +0,0 @@ -Description: 'Обнаружено повышение привилегии путем манипуляций с Access Tokens' -EventDescriptions: - - LocalizationId: 'corrname_Subrule_CreateProcess_with_DifferentTokens' - EventDescription: 'Процесс с идентификатором {object.process.parent.id} повысил свои привилегии: {alert.key} на хосте {event_src.host}' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/raw_events_2.json b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/raw_events_2.json deleted file mode 100644 index e69de29b..00000000 diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/test_conds_1.tc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/test_conds_1.tc deleted file mode 100644 index 21a713ad..00000000 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/test_conds_1.tc +++ /dev/null @@ -1 +0,0 @@ -expect 1 {"_rule": "Subrule_CreateProcess_with_DifferentTokens", "action": "escalate", "alert.context": "PID_1264_start_process_wusa.exe_with_TokenElevationTypeLimited_and_PID_1264_start_process_wusa.exe_with_TokenElevationTypeFull", "alert.key": "TokenElevationTypeLimited->TokenElevationTypeFull", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Access Token Manipulation", "correlation_name": "Subrule_CreateProcess_with_DifferentTokens", "correlation_type": "incident", "count": 1, "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "medium", "incident.aggregation.key": "Subrule_CreateProcess_with_DifferentTokens|iewin7|1264", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "normalized": true, "object": "account", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.session_id": "999", "object.process.fullpath": "c:\\windows\\system32\\wusa.exe", "object.process.id": "1456", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/test_conds_2.tc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/test_conds_2.tc deleted file mode 100644 index 828015e4..00000000 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateProcess_with_DifferentTokens/tests/test_conds_2.tc +++ /dev/null @@ -1,5 +0,0 @@ -# Вайтлистинг -table_list default -table_list {"Common_whitelist_auto": [{"rule": "Subrule_CreateProcess_with_DifferentTokens", "specific_value": ""}]} - -expect not {"correlation_name": "Subrule_CreateProcess_with_DifferentTokens"} From 5429e19aceaa46748964533867d8ae4924dcbd74 Mon Sep 17 00:00:00 2001 From: Andru Date: Mon, 19 Jun 2023 20:02:17 +0300 Subject: [PATCH 3/9] Commit after rule AccessTokenManipulation_via_Consent created and tested --- .../i18n/i18n_en.yaml | 4 + .../i18n/i18n_ru.yaml | 4 + .../metainfo.yaml | 31 +++++ .../rule.co | 118 ++++++++++++++++++ .../tests/test_1.sc | 7 ++ 5 files changed, 164 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/AccessTokenManipulation_via_Consent/i18n/i18n_en.yaml create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/AccessTokenManipulation_via_Consent/i18n/i18n_ru.yaml create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/AccessTokenManipulation_via_Consent/metainfo.yaml create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/AccessTokenManipulation_via_Consent/rule.co create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/AccessTokenManipulation_via_Consent/tests/test_1.sc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/AccessTokenManipulation_via_Consent/i18n/i18n_en.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/AccessTokenManipulation_via_Consent/i18n/i18n_en.yaml new file mode 100644 index 00000000..4173a885 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/AccessTokenManipulation_via_Consent/i18n/i18n_en.yaml @@ -0,0 +1,4 @@ +Description: 'The launch of child processes with different Access Tokens was detected' +EventDescriptions: + - LocalizationId: 'corrname_AccessTokenManipulation_via_Consent' + EventDescription: 'Process with PID {object.process.parent.id} escalate own privileges:{alert.key} afted lauched (subject.process.name) process at host {event_src.host}' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/AccessTokenManipulation_via_Consent/i18n/i18n_ru.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/AccessTokenManipulation_via_Consent/i18n/i18n_ru.yaml new file mode 100644 index 00000000..4c1d5c6e --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/AccessTokenManipulation_via_Consent/i18n/i18n_ru.yaml @@ -0,0 +1,4 @@ +Description: 'Обнаружен запуск дочерних процессов с различными маркерами доступа (Access Tokens).' +EventDescriptions: + - LocalizationId: 'corrname_AccessTokenManipulation_via_Consent' + EventDescription: 'Процесс с идентификатором {object.process.parent.id} повысил свои привилегии: {alert.key} после запуска полцесса {subject.process.name} на хосте {event_src.host}' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/AccessTokenManipulation_via_Consent/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/AccessTokenManipulation_via_Consent/metainfo.yaml new file mode 100644 index 00000000..17933622 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/AccessTokenManipulation_via_Consent/metainfo.yaml @@ -0,0 +1,31 @@ +ObjectId: LOC-CR-330352538 +ContentAutoName: AccessTokenManipulation_via_Consent +ExpertContext: + Created: 19.06.2023 + Updated: 19.06.2023 + KnowledgeHolders: + - driverenok + Usecases: + - Атакующие могут манипулировать маркерами доступа (Access Tokens) путем подмены dll, загружаемых в процесс consent.exe + References: + - https://attack.mitre.org/techniques/T1134/ + - https://attack.mitre.org/techniques/T1548/002/ + DataSources: + - Provider: Microsoft-Windows-Security-Auditing + EventID: + - 4688 + - Provider: Microsoft-Windows-Sysmon + EventID: + - 1 +ContentRelations: + Implements: + ATTACK: + privilege-escalation: + - T1134 + - T1548.002 + defense-evasion: + - T1134 + - T1548.002 +EventDescriptions: + - Criteria: correlation_name = "AccessTokenManipulation_via_Consent" + LocalizationId: corrname_AccessTokenManipulation_via_Consent diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/AccessTokenManipulation_via_Consent/rule.co b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/AccessTokenManipulation_via_Consent/rule.co new file mode 100644 index 00000000..e16ed645 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/AccessTokenManipulation_via_Consent/rule.co @@ -0,0 +1,118 @@ +event Process_Start: + key: + event_src.host#, subject.account.session_id + filter { + filter::NotFromCorrelator() and + filter::ProcessStart_Windows_any() and + object.process.name == "consent.exe" + } + +event Process_Start_with_DifferentTokens: + key: + event_src.host#, subject.account.session_id + filter { + correlation_name == "Subrule_CreateChildProcess_with_DifferentTokens" + } + +rule AccessTokenManipulation_via_Consent: Process_Start and Process_Start_with_DifferentTokens #(Process_Start and ) with different object.process.parent.id within 10s + + on Process_Start { + $object.account.name = subject.account.name + $object.account.domain = subject.account.domain + $object.account.fullname = subject.account.fullname + $object.account.id = subject.account.id + $object.account.session_id = subject.account.session_id + $object.account.privileges = subject.account.privileges + + $event_src.ip = event_src.ip + $event_src.hostname = event_src.hostname + $event_src.fqdn = event_src.fqdn + $event_src.host = event_src.host + $event_src.asset = event_src.asset + $event_src.vendor = event_src.vendor + $event_src.title = event_src.title + $event_src.subsys = event_src.subsys + $event_src.rule = event_src.rule + + $subject.process.id = object.process.id + $subject.process.name = object.process.name + $subject.process.path = object.process.path + $subject.process.fullpath = object.process.fullpath + $subject.process.hash = object.process.hash + $subject.process.hash.md5 = object.process.hash.md5 + $subject.process.hash.sha1 = object.process.hash.sha1 + $subject.process.hash.sha256 = object.process.hash.sha256 + $subject.process.version = object.process.version + $subject.process.cmdline = object.process.cmdline + $subject.process.guid = object.process.guid + $subject.process.meta = object.process.meta + $subject.process.original_name = object.process.original_name + $subject.process.cwd = object.process.cwd + $subject.process.chain = object.process.chain + } + + #on Process_Start { + # $subject.process.id = object.process.id + # $subject.process.name = object.process.name + # $subject.process.path = object.process.path + # $subject.process.fullpath = object.process.fullpath + # $subject.process.guid = object.process.guid + # $subject.process.cmdline = object.process.cmdline + #} + + on Process_Start_with_DifferentTokens { + $subject.account.name = subject.account.name + $subject.account.domain = subject.account.domain + $subject.account.fullname = subject.account.fullname + $subject.account.session_id = subject.account.session_id + $subject.account.id = subject.account.id + $subject.account.privileges = subject.account.privileges + + $object.process.id = object.process.id + $object.process.name = object.process.name + $object.process.path = object.process.path + $object.process.fullpath = object.process.fullpath + $object.process.hash = object.process.hash + $object.process.hash.md5 = object.process.hash.md5 + $object.process.hash.sha1 = object.process.hash.sha1 + $object.process.hash.sha256 = object.process.hash.sha256 + $object.process.version = object.process.version + $object.process.cmdline = object.process.cmdline + $object.process.guid = object.process.guid + $object.process.meta = object.process.meta + $object.process.original_name = object.process.original_name + $object.process.cwd = object.process.cwd + $object.process.chain = object.process.chain + + $object.process.parent.id = object.process.parent.id + $object.process.parent.name = object.process.parent.name + $object.process.parent.path = object.process.parent.path + $object.process.parent.fullpath = object.process.parent.fullpath + $object.process.parent.guid = object.process.parent.guid + $object.process.parent.cmdline = object.process.parent.cmdline + + #$alert.key = $object.account.privileges + "->" $subject.account.privileges + + } + +emit { + $correlation_type = "incident" + + $subject = "account" + $action = "escalate" + $object = "account" + $status = "success" + + $importance = "medium" + + $category.generic = "Attack" + $category.high = "Privilege Escalation" + $category.low = "Access Token Manipulation" + + $incident.aggregation.key = join([$correlation_name, lower($event_src.host), lower($object.account.name)], "|") + $incident.aggregation.timeout = 2h + + $incident.severity = $importance + + $incident.category = "Undefined" +} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/AccessTokenManipulation_via_Consent/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/AccessTokenManipulation_via_Consent/tests/test_1.sc new file mode 100644 index 00000000..12ac99cd --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/AccessTokenManipulation_via_Consent/tests/test_1.sc @@ -0,0 +1,7 @@ +# Здесь укажи какие нормализованные события (одно или несколько) ты подаёшь на вход правилу корреляции. +# События отделяются друг от друга символом новой строки. Каждое их них должно быть записано в строку. +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.6236956Z\"},\"EventRecordID\":\"18198\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0x7f0\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1936\"},{\"Name\":\"ProcessId\",\"text\":\"0x3c8\"},{\"Name\":\"CommandLine\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.session_id": "999", "object.process.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.id": "2032", "object.process.name": "consent.exe", "object.process.parent.id": "968", "object.process.path": "c:\\windows\\system32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-19T10:56:53.856Z", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "999", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:10:10.623Z", "type": "raw", "uuid": "d61e0e53-ae9d-40fa-8d93-152160bbac12"} +{"_rule": "Subrule_CreateChildProcess_with_DifferentTokens", "action": "escalate", "alert.context": "PID_1264_start_process_wusa.exe_with_TokenElevationTypeLimited_then_PID_1264_start_process_wusa.exe_with_TokenElevationTypeFull", "alert.key": "TokenElevationTypeLimited->TokenElevationTypeFull", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Access Token Manipulation", "correlation_name": "Subrule_CreateChildProcess_with_DifferentTokens", "correlation_type": "incident", "count": 1, "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "medium", "incident.aggregation.key": "Subrule_CreateChildProcess_with_DifferentTokens|iewin7|1264", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "normalized": true, "object": "account", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.privileges": "TokenElevationTypeFull", "object.account.session_id": "999", "object.process.fullpath": "c:\\windows\\system32\\wusa.exe", "object.process.id": "1456", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999", "time": "2019-05-11T17:10:15.623Z"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"_rule": "AccessTokenManipulation_via_Consent", "action": "escalate", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Access Token Manipulation", "correlation_name": "AccessTokenManipulation_via_Consent", "correlation_type": "incident", "count": 1, "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "medium", "incident.aggregation.key": "AccessTokenManipulation_via_Consent|iewin7|iewin7$", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "normalized": true, "object": "account", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.privileges": "TokenElevationTypeDefault", "object.account.session_id": "999", "object.process.fullpath": "c:\\windows\\system32\\wusa.exe", "object.process.id": "1456", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999", "subject.process.fullpath": "c:\\windows\\system32\\consent.exe", "subject.process.id": "2032", "subject.process.name": "consent.exe", "subject.process.path": "c:\\windows\\system32\\"} \ No newline at end of file From 3ffc3e904ac2e6116494f281c5f18fac2c8e2b3d Mon Sep 17 00:00:00 2001 From: Andru Date: Fri, 23 Jun 2023 17:19:10 +0300 Subject: [PATCH 4/9] =?UTF-8?q?=D0=9E=D0=B1=D0=BD=D0=BE=D0=B2=D0=BB=D0=B5?= =?UTF-8?q?=D0=BD=D0=B0=20=D0=BD=D0=BE=D1=80=D0=BC=D0=B0=D0=BB=D0=B8=D0=B7?= =?UTF-8?q?=D0=B0=D1=86=D0=B8=D1=8F=20=D0=B4=D0=BB=D1=8F=20WinEventLog=204?= =?UTF-8?q?688.=20=D0=94=D0=BB=D1=8F=20=D0=BF=D0=BE=D0=BB=D0=B5=D0=B9=20ob?= =?UTF-8?q?ject.process.fullpath=20=D0=B8=20object.parent.process.fullpath?= =?UTF-8?q?=20=D0=B1=D0=BE=D0=BB=D1=8C=D1=88=D0=B5=20=D0=BD=D0=B5=20=D0=BF?= =?UTF-8?q?=D1=80=D0=B8=D0=BC=D0=B5=D0=BD=D1=8F=D0=B5=D1=82=D1=81=D1=8F=20?= =?UTF-8?q?=D1=84=D1=83=D0=BD=D0=BA=D1=86=D0=B8=D1=8F=20lower()?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Security/4688_A_new_process_has_been_created/formula.xp | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Security/4688_A_new_process_has_been_created/formula.xp b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Security/4688_A_new_process_has_been_created/formula.xp index ca4e49ac..a8c4dac9 100644 --- a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Security/4688_A_new_process_has_been_created/formula.xp +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Security/4688_A_new_process_has_been_created/formula.xp @@ -41,14 +41,16 @@ else endif object.process.id = maybe_number16($Data["NewProcessId"]) -object.process.fullpath = lower($Data["NewProcessName"]) +#object.process.fullpath = lower($Data["NewProcessName"]) +object.process.fullpath = $Data["NewProcessName"] $process_path = csv(object.process.fullpath, "\\", "") object.process.name = $process_path[length($process_path) - 1] object.process.path = strip(object.process.fullpath, "", object.process.name) object.process.cmdline = $Data['CommandLine'] object.process.parent.id = maybe_number16($Data["ProcessId"]) -object.process.parent.fullpath = lower($Data["ParentProcessName"]) +#object.process.parent.fullpath = lower($Data["ParentProcessName"]) +object.process.parent.fullpath = $Data["ParentProcessName"] $process_parent_path = csv(object.process.parent.fullpath, "\\", "") object.process.parent.name = $process_parent_path[length($process_parent_path) - 1] object.process.parent.path = strip(object.process.parent.fullpath, "", object.process.parent.name) From c6a2d72bf507f7cfbd20c0640285e886152adb8d Mon Sep 17 00:00:00 2001 From: Andru Date: Fri, 23 Jun 2023 17:21:34 +0300 Subject: [PATCH 5/9] Commit after rule Subrule_AutoElevate_detection created and tested --- .../i18n/i18n_en.yaml | 4 + .../i18n/i18n_ru.yaml | 4 + .../metainfo.yaml | 31 +++++ .../Subrule_AutoElevate_detection/rule.co | 120 ++++++++++++++++++ .../tests/raw_events_1.json | 3 + .../tests/raw_events_2.json | 2 + .../tests/raw_events_3.json | 2 + .../tests/raw_events_4.json | 3 + .../tests/test_1.sc | 8 ++ .../tests/test_2.sc | 7 + .../tests/test_3.sc | 7 + .../tests/test_4.sc | 9 ++ .../tests/test_conds_1.tc | 1 + .../tests/test_conds_2.tc | 1 + .../tests/test_conds_3.tc | 1 + .../tests/test_conds_4.tc | 1 + 16 files changed, 204 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/i18n/i18n_en.yaml create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/i18n/i18n_ru.yaml create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/metainfo.yaml create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/rule.co create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/raw_events_1.json create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/raw_events_2.json create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/raw_events_3.json create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/raw_events_4.json create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_1.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_2.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_3.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_4.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_conds_1.tc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_conds_2.tc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_conds_3.tc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_conds_4.tc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/i18n/i18n_en.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/i18n/i18n_en.yaml new file mode 100644 index 00000000..d8ac0a65 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/i18n/i18n_en.yaml @@ -0,0 +1,4 @@ +Description: 'AutoElevate process start was detected' +EventDescriptions: + - LocalizationId: 'corrname_Subrule_AutoElevate_detection' + EventDescription: 'Process {object.process.name} started with AutoElevation flag behalf of the user {object.account.domain}\{object.account.name} at host {event_src.host}' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/i18n/i18n_ru.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/i18n/i18n_ru.yaml new file mode 100644 index 00000000..7088e797 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/i18n/i18n_ru.yaml @@ -0,0 +1,4 @@ +Description: 'Обнаружен запуск процесса с автоматическим повышением привилегий (AutoElevate)' +EventDescriptions: + - LocalizationId: 'corrname_Subrule_AutoElevate_detection' + EventDescription: 'Процесс {object.process.name} запущен с автоматическим повышением привилегий от имени пользователя {object.account.domain}\{object.account.name} на хосте {event_src.host}' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/metainfo.yaml new file mode 100644 index 00000000..915a1801 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/metainfo.yaml @@ -0,0 +1,31 @@ +ObjectId: LOC-CR-124009838 +ContentAutoName: Subrule_AutoElevate_detection +ExpertContext: + Created: 22.06.2023 + Updated: 23.06.2023 + KnowledgeHolders: + - driverenok + Usecases: + - "Легитимная активность, в результате которой процесс, имеющий в манифесте исполняемого файла опцию AutoElevate, запускаетс дважды: 1й запуск - с LimitedToken, 2й раз - с FullToken" + Falsepositives: + - Процессы, родителем которых является процесс explorer.exe и запускаются администраторами + References: + - https://attack.mitre.org/techniques/T1548/ + - https://github.com/rootm0s/WinPwnage + DataSources: + - Provider: Microsoft-Windows-Security-Auditing + EventID: + - 4688 + - 4689 + - Provider: Microsoft-Windows-Sysmon + EventID: + - 1 + - 5 +ContentRelations: + Implements: + ATTACK: + privilege-escalation: + - T1548 +EventDescriptions: + - Criteria: correlation_name = "Subrule_AutoElevate_detection" + LocalizationId: corrname_Subrule_AutoElevate_detection diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/rule.co b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/rule.co new file mode 100644 index 00000000..6aee77b9 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/rule.co @@ -0,0 +1,120 @@ +event Process_Start_with_LimitedToken: + key: + event_src.host, object.process.fullpath + filter { + filter::NotFromCorrelator() and + filter::ProcessStart_Windows_any() and + lower(subject.account.privileges) == "tokenelevationtypelimited" + } + +event Process_Stop_with_Elevated_ExitCode: + key: + event_src.host, object.process.fullpath + filter { + filter::NotFromCorrelator() and ( + event_src.title == "windows" and msgid == "4689" or + event_src.title == "sysmon" and msgid == "5" + ) and + reason == "0xc000042c" + } + +event Process_Start_with_ElevatedToken: + key: + event_src.host, object.process.fullpath + filter { + filter::NotFromCorrelator() and + filter::ProcessStart_Windows_any() and + in_list(["tokenelevationtypefull", "tokenelevationtypedefault"], lower(subject.account.privileges)) + } + +rule Subrule_AutoElevate_detection: (Process_Start_with_LimitedToken and Process_Stop_with_Elevated_ExitCode? and Process_Start_with_ElevatedToken) timer 10s with different subject.account.privileges + + on Process_Start_with_LimitedToken { + $object.account.id = object.account.id + $object.account.name = object.account.name + $object.account.domain = object.account.domain + $object.account.fullname = object.account.fullname + $object.account.session_id = object.account.session_id + $object.account.privileges = subject.account.privileges + + $object.process.id = object.process.id + $object.process.name = object.process.name + $object.process.path = object.process.path + $object.process.fullpath = object.process.fullpath + $object.process.hash = object.process.hash + $object.process.hash.md5 = object.process.hash.md5 + $object.process.hash.sha1 = object.process.hash.sha1 + $object.process.hash.sha256 = object.process.hash.sha256 + $object.process.version = object.process.version + $object.process.cmdline = object.process.cmdline + $object.process.guid = object.process.guid + $object.process.meta = object.process.meta + $object.process.original_name = object.process.original_name + $object.process.cwd = object.process.cwd + $object.process.chain = object.process.chain + + $object.process.parent.id = object.process.parent.id + $object.process.parent.name = object.process.parent.name + $object.process.parent.path = object.process.parent.path + $object.process.parent.fullpath = object.process.parent.fullpath + $object.process.parent.guid = object.process.parent.guid + $object.process.parent.cmdline = object.process.parent.cmdline + + $event_src.ip = event_src.ip + $event_src.hostname = event_src.hostname + $event_src.fqdn = event_src.fqdn + $event_src.host = event_src.host + $event_src.asset = event_src.asset + $event_src.vendor = event_src.vendor + $event_src.title = event_src.title + $event_src.subsys = event_src.subsys + $event_src.rule = event_src.rule + + $alert.key = subject.account.privileges + $alert.context = "PID_" + object.process.parent.id + "_start_process_" + object.process.name + "_with_" + subject.account.privileges + } + + on Process_Stop_with_Elevated_ExitCode { + $object.state = object.state + + if object.state == "0xc000042c" or reason == "0xc000042c" then + $reason = "STATUS_ELEVATION_REQUIRED" + endif + } + + on Process_Start_with_ElevatedToken { + $subject = subject + + $subject.account.id = subject.account.id + $subject.account.name = subject.account.name + $subject.account.domain = subject.account.domain + $subject.account.fullname = subject.account.fullname + $subject.account.session_id = subject.account.session_id + $subject.account.privileges = subject.account.privileges + + $action = action + + $object = object + + $status = status + + $alert.key = $alert.key + "->" + subject.account.privileges + $alert.context = $alert.context + "_then_PID_" + object.process.parent.id + "_start_process_" + object.process.name + "_with_" + subject.account.privileges + } + +emit { + $correlation_type = "event" + + $importance = "low" + + $category.generic = "Attack" + $category.high = "Privilege Escalation" + $category.low = "Elevation Control Mechanism" + + $incident.aggregation.key = join([$correlation_name, lower($event_src.host), lower($object.process.fullpath)], "|") + $incident.aggregation.timeout = 1h + + $incident.severity = $importance + + $incident.category = "Undefined" +} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/raw_events_1.json b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/raw_events_1.json new file mode 100644 index 00000000..bd771ece --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/raw_events_1.json @@ -0,0 +1,3 @@ +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-20T15:36:08.0268449Z\"},\"EventRecordID\":\"1676626\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"48\"},\"Channel\":\"Security\",\"Computer\":\"win7-hack.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3800063338-4262557262-2801230003-500\"},{\"Name\":\"SubjectUserName\",\"text\":\"Администратор\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3bc93\"},{\"Name\":\"NewProcessId\",\"text\":\"0x548\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x944\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\System32\\\\wusa.exe\\\"\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-22T19:08:06.487Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"160e9a36-942b-464d-afeb-580ccdcc4b66"} +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4689\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"13313\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-20T15:36:08.0424703Z\"},\"EventRecordID\":\"1676627\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"44\"},\"Channel\":\"Security\",\"Computer\":\"win7-hack.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3800063338-4262557262-2801230003-500\"},{\"Name\":\"SubjectUserName\",\"text\":\"Администратор\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3bc93\"},{\"Name\":\"Status\",\"text\":\"0xc000042c\"},{\"Name\":\"ProcessId\",\"text\":\"0x548\"},{\"Name\":\"ProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-22T19:08:06.489Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"3d36ab5b-d2f1-49a9-95f5-e28e35834b64"} +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-20T15:36:08.4643561Z\"},\"EventRecordID\":\"1676639\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"44\"},\"Channel\":\"Security\",\"Computer\":\"win7-hack.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"WIN7-HACK$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0xae0\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1937\"},{\"Name\":\"ProcessId\",\"text\":\"0x944\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\System32\\\\wusa.exe\\\"\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-22T19:08:06.490Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"70ef4f25-dc12-4038-b382-80a6eae212d0"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/raw_events_2.json b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/raw_events_2.json new file mode 100644 index 00000000..c8bbf3eb --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/raw_events_2.json @@ -0,0 +1,2 @@ +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-20T15:36:08.0268449Z\"},\"EventRecordID\":\"1676626\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"48\"},\"Channel\":\"Security\",\"Computer\":\"win7-hack.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3800063338-4262557262-2801230003-500\"},{\"Name\":\"SubjectUserName\",\"text\":\"Администратор\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3bc93\"},{\"Name\":\"NewProcessId\",\"text\":\"0x548\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x944\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\System32\\\\wusa.exe\\\"\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-22T19:08:06.487Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"160e9a36-942b-464d-afeb-580ccdcc4b66"} +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-20T15:36:08.4643561Z\"},\"EventRecordID\":\"1676639\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"44\"},\"Channel\":\"Security\",\"Computer\":\"win7-hack.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"WIN7-HACK$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0xae0\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1937\"},{\"Name\":\"ProcessId\",\"text\":\"0x944\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\System32\\\\wusa.exe\\\"\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-22T19:08:06.490Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"70ef4f25-dc12-4038-b382-80a6eae212d0"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/raw_events_3.json b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/raw_events_3.json new file mode 100644 index 00000000..aa41a4bd --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/raw_events_3.json @@ -0,0 +1,2 @@ +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.6080706Z\"},\"EventRecordID\":\"18197\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x13765\"},{\"Name\":\"NewProcessId\",\"text\":\"0x628\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-19T15:44:16.508Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"3f5255f8-2046-4ccc-8ab0-94241391249d"} +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8268206Z\"},\"EventRecordID\":\"18205\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0x5b0\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1937\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-19T15:47:21.139Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"a7cf27bb-23a3-4f08-bef1-22633514db07"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/raw_events_4.json b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/raw_events_4.json new file mode 100644 index 00000000..9a6dadf9 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/raw_events_4.json @@ -0,0 +1,3 @@ +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.6080706Z\"},\"EventRecordID\":\"18197\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x13765\"},{\"Name\":\"NewProcessId\",\"text\":\"0x628\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-19T15:44:16.508Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"3f5255f8-2046-4ccc-8ab0-94241391249d"} +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8268206Z\"},\"EventRecordID\":\"18205\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0x5b0\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1937\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-19T15:47:21.139Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"a7cf27bb-23a3-4f08-bef1-22633514db07"} +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8893206Z\"},\"EventRecordID\":\"18207\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0xc74\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1936\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-19T15:44:56.726Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"4b969569-cc44-4df3-a0f2-cc9d3aab72d5"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_1.sc new file mode 100644 index 00000000..043bb8c9 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_1.sc @@ -0,0 +1,8 @@ +# Здесь укажи какие нормализованные события (одно или несколько) ты подаёшь на вход правилу корреляции. +# События отделяются друг от друга символом новой строки. Каждое их них должно быть записано в строку. +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-20T15:36:08.0268449Z\"},\"EventRecordID\":\"1676626\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"48\"},\"Channel\":\"Security\",\"Computer\":\"win7-hack.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3800063338-4262557262-2801230003-500\"},{\"Name\":\"SubjectUserName\",\"text\":\"Администратор\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3bc93\"},{\"Name\":\"NewProcessId\",\"text\":\"0x548\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x944\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\System32\\\\wusa.exe\\\"\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "win7-hack.stand2008.local", "event_src.host": "win7-hack.stand2008.local", "event_src.hostname": "win7-hack", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "stand2008", "object.account.id": "S-1-5-21-3800063338-4262557262-2801230003-500", "object.account.name": "администратор", "object.account.session_id": "244883", "object.process.cmdline": "\"C:\\Windows\\System32\\wusa.exe\"", "object.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "object.process.id": "1352", "object.process.name": "wusa.exe", "object.process.parent.id": "2372", "object.process.path": "C:\\Windows\\System32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-22T19:08:06.487Z", "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-21-3800063338-4262557262-2801230003-500", "subject.account.name": "администратор", "subject.account.privileges": "TokenElevationTypeLimited", "subject.account.session_id": "244883", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-06-20T15:36:08.026Z", "type": "raw", "uuid": "160e9a36-942b-464d-afeb-580ccdcc4b66"} +{"action": "stop", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4689\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"13313\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-20T15:36:08.0424703Z\"},\"EventRecordID\":\"1676627\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"44\"},\"Channel\":\"Security\",\"Computer\":\"win7-hack.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3800063338-4262557262-2801230003-500\"},{\"Name\":\"SubjectUserName\",\"text\":\"Администратор\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3bc93\"},{\"Name\":\"Status\",\"text\":\"0xc000042c\"},{\"Name\":\"ProcessId\",\"text\":\"0x548\"},{\"Name\":\"ProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "datafield1": "244883", "event_src.category": "Operating system", "event_src.fqdn": "win7-hack.stand2008.local", "event_src.host": "win7-hack.stand2008.local", "event_src.hostname": "win7-hack", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4689_A_process_has_exited", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4689", "normalized": true, "object": "process", "object.account.domain": "stand2008", "object.account.id": "S-1-5-21-3800063338-4262557262-2801230003-500", "object.account.name": "администратор", "object.account.session_id": "244883", "object.id": "1352", "object.name": "wusa.exe", "object.path": "C:\\Windows\\System32\\", "object.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "object.process.id": "1352", "object.process.name": "wusa.exe", "object.process.path": "C:\\Windows\\System32\\", "object.state": "0xc000042c", "reason": "0xc000042c", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-22T19:08:06.489Z", "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-21-3800063338-4262557262-2801230003-500", "subject.account.name": "администратор", "subject.account.session_id": "244883", "subject.domain": "stand2008", "subject.id": "S-1-5-21-3800063338-4262557262-2801230003-500", "subject.name": "администратор", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-06-20T15:36:08.042Z", "type": "raw", "uuid": "3d36ab5b-d2f1-49a9-95f5-e28e35834b64"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-20T15:36:08.4643561Z\"},\"EventRecordID\":\"1676639\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"44\"},\"Channel\":\"Security\",\"Computer\":\"win7-hack.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"WIN7-HACK$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0xae0\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1937\"},{\"Name\":\"ProcessId\",\"text\":\"0x944\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\System32\\\\wusa.exe\\\"\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "win7-hack.stand2008.local", "event_src.host": "win7-hack.stand2008.local", "event_src.hostname": "win7-hack", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "stand2008", "object.account.id": "S-1-5-18", "object.account.name": "win7-hack$", "object.account.session_id": "999", "object.process.cmdline": "\"C:\\Windows\\System32\\wusa.exe\"", "object.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "object.process.id": "2784", "object.process.name": "wusa.exe", "object.process.parent.id": "2372", "object.process.path": "C:\\Windows\\System32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-22T19:08:06.490Z", "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-18", "subject.account.name": "win7-hack$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-06-20T15:36:08.464Z", "type": "raw", "uuid": "70ef4f25-dc12-4038-b382-80a6eae212d0"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"_rule": "Subrule_AutoElevate_detection", "action": "start", "alert.context": "PID_2372_start_process_wusa.exe_with_TokenElevationTypeLimited_then_PID_2372_start_process_wusa.exe_with_TokenElevationTypeFull", "alert.key": "TokenElevationTypeLimited->TokenElevationTypeFull", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Elevation Control Mechanism", "correlation_name": "Subrule_AutoElevate_detection", "correlation_type": "event", "count": 1, "event_src.fqdn": "win7-hack.stand2008.local", "event_src.host": "win7-hack.stand2008.local", "event_src.hostname": "win7-hack", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "low", "incident.aggregation.key": "Subrule_AutoElevate_detection|win7-hack.stand2008.local|c:\\windows\\system32\\wusa.exe", "incident.aggregation.timeout": 3600, "incident.category": "Undefined", "incident.severity": "low", "normalized": true, "object": "process", "object.account.domain": "stand2008", "object.account.id": "S-1-5-21-3800063338-4262557262-2801230003-500", "object.account.name": "администратор", "object.account.privileges": "TokenElevationTypeLimited", "object.account.session_id": "244883", "object.process.cmdline": "\"C:\\Windows\\System32\\wusa.exe\"", "object.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "object.process.id": "1352", "object.process.name": "wusa.exe", "object.process.parent.id": "2372", "object.process.path": "C:\\Windows\\System32\\", "object.state": "0xc000042c", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "reason": "STATUS_ELEVATION_REQUIRED", "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-18", "subject.account.name": "win7-hack$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_2.sc new file mode 100644 index 00000000..cf832a93 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_2.sc @@ -0,0 +1,7 @@ +# Здесь укажи какие нормализованные события (одно или несколько) ты подаёшь на вход правилу корреляции. +# События отделяются друг от друга символом новой строки. Каждое их них должно быть записано в строку. +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-20T15:36:08.0268449Z\"},\"EventRecordID\":\"1676626\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"48\"},\"Channel\":\"Security\",\"Computer\":\"win7-hack.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3800063338-4262557262-2801230003-500\"},{\"Name\":\"SubjectUserName\",\"text\":\"Администратор\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3bc93\"},{\"Name\":\"NewProcessId\",\"text\":\"0x548\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x944\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\System32\\\\wusa.exe\\\"\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "win7-hack.stand2008.local", "event_src.host": "win7-hack.stand2008.local", "event_src.hostname": "win7-hack", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "stand2008", "object.account.id": "S-1-5-21-3800063338-4262557262-2801230003-500", "object.account.name": "администратор", "object.account.session_id": "244883", "object.process.cmdline": "\"C:\\Windows\\System32\\wusa.exe\"", "object.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "object.process.id": "1352", "object.process.name": "wusa.exe", "object.process.parent.id": "2372", "object.process.path": "C:\\Windows\\System32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-22T19:08:06.487Z", "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-21-3800063338-4262557262-2801230003-500", "subject.account.name": "администратор", "subject.account.privileges": "TokenElevationTypeLimited", "subject.account.session_id": "244883", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-06-20T15:36:08.026Z", "type": "raw", "uuid": "160e9a36-942b-464d-afeb-580ccdcc4b66"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-20T15:36:08.4643561Z\"},\"EventRecordID\":\"1676639\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"44\"},\"Channel\":\"Security\",\"Computer\":\"win7-hack.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"WIN7-HACK$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0xae0\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1937\"},{\"Name\":\"ProcessId\",\"text\":\"0x944\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\System32\\\\wusa.exe\\\"\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "win7-hack.stand2008.local", "event_src.host": "win7-hack.stand2008.local", "event_src.hostname": "win7-hack", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "stand2008", "object.account.id": "S-1-5-18", "object.account.name": "win7-hack$", "object.account.session_id": "999", "object.process.cmdline": "\"C:\\Windows\\System32\\wusa.exe\"", "object.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "object.process.id": "2784", "object.process.name": "wusa.exe", "object.process.parent.id": "2372", "object.process.path": "C:\\Windows\\System32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-22T19:08:06.490Z", "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-18", "subject.account.name": "win7-hack$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-06-20T15:36:08.464Z", "type": "raw", "uuid": "70ef4f25-dc12-4038-b382-80a6eae212d0"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"_rule": "Subrule_AutoElevate_detection", "action": "start", "alert.context": "PID_2372_start_process_wusa.exe_with_TokenElevationTypeLimited_then_PID_2372_start_process_wusa.exe_with_TokenElevationTypeFull", "alert.key": "TokenElevationTypeLimited->TokenElevationTypeFull", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Elevation Control Mechanism", "correlation_name": "Subrule_AutoElevate_detection", "correlation_type": "event", "count": 1, "event_src.fqdn": "win7-hack.stand2008.local", "event_src.host": "win7-hack.stand2008.local", "event_src.hostname": "win7-hack", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "low", "incident.aggregation.key": "Subrule_AutoElevate_detection|win7-hack.stand2008.local|c:\\windows\\system32\\wusa.exe", "incident.aggregation.timeout": 3600, "incident.category": "Undefined", "incident.severity": "low", "normalized": true, "object": "process", "object.account.domain": "stand2008", "object.account.id": "S-1-5-21-3800063338-4262557262-2801230003-500", "object.account.name": "администратор", "object.account.privileges": "TokenElevationTypeLimited", "object.account.session_id": "244883", "object.process.cmdline": "\"C:\\Windows\\System32\\wusa.exe\"", "object.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "object.process.id": "1352", "object.process.name": "wusa.exe", "object.process.parent.id": "2372", "object.process.path": "C:\\Windows\\System32\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-18", "subject.account.name": "win7-hack$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_3.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_3.sc new file mode 100644 index 00000000..b4f1df5b --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_3.sc @@ -0,0 +1,7 @@ +# Здесь укажи какие нормализованные события (одно или несколько) ты подаёшь на вход правилу корреляции. +# События отделяются друг от друга символом новой строки. Каждое их них должно быть записано в строку. +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.6080706Z\"},\"EventRecordID\":\"18197\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x13765\"},{\"Name\":\"NewProcessId\",\"text\":\"0x628\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "iewin7", "object.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "object.account.name": "ieuser", "object.account.session_id": "79717", "object.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "object.process.id": "1576", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "C:\\Windows\\System32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-19T15:44:16.508Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "subject.account.name": "ieuser", "subject.account.privileges": "TokenElevationTypeLimited", "subject.account.session_id": "79717", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:10:10.608Z", "type": "raw", "uuid": "3f5255f8-2046-4ccc-8ab0-94241391249d"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8268206Z\"},\"EventRecordID\":\"18205\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0x5b0\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1937\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.session_id": "999", "object.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "object.process.id": "1456", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "C:\\Windows\\System32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-19T15:47:21.139Z", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:10:10.826Z", "type": "raw", "uuid": "a7cf27bb-23a3-4f08-bef1-22633514db07"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"_rule": "Subrule_AutoElevate_detection", "action": "start", "alert.context": "PID_1264_start_process_wusa.exe_with_TokenElevationTypeLimited_then_PID_1264_start_process_wusa.exe_with_TokenElevationTypeFull", "alert.key": "TokenElevationTypeLimited->TokenElevationTypeFull", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Elevation Control Mechanism", "correlation_name": "Subrule_AutoElevate_detection", "correlation_type": "event", "count": 1, "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "low", "incident.aggregation.key": "Subrule_AutoElevate_detection|iewin7|c:\\windows\\system32\\wusa.exe", "incident.aggregation.timeout": 3600, "incident.category": "Undefined", "incident.severity": "low", "normalized": true, "object": "process", "object.account.domain": "iewin7", "object.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "object.account.name": "ieuser", "object.account.privileges": "TokenElevationTypeLimited", "object.account.session_id": "79717", "object.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "object.process.id": "1576", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "C:\\Windows\\System32\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_4.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_4.sc new file mode 100644 index 00000000..27cd362d --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_4.sc @@ -0,0 +1,9 @@ +# Здесь укажи какие нормализованные события (одно или несколько) ты подаёшь на вход правилу корреляции. +# События отделяются друг от друга символом новой строки. Каждое их них должно быть записано в строку. +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.6080706Z\"},\"EventRecordID\":\"18197\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x13765\"},{\"Name\":\"NewProcessId\",\"text\":\"0x628\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "iewin7", "object.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "object.account.name": "ieuser", "object.account.session_id": "79717", "object.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "object.process.id": "1576", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "C:\\Windows\\System32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-19T15:44:16.508Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "subject.account.name": "ieuser", "subject.account.privileges": "TokenElevationTypeLimited", "subject.account.session_id": "79717", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:10:10.608Z", "type": "raw", "uuid": "3f5255f8-2046-4ccc-8ab0-94241391249d"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8268206Z\"},\"EventRecordID\":\"18205\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0x5b0\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1937\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.session_id": "999", "object.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "object.process.id": "1456", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "C:\\Windows\\System32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-19T15:47:21.139Z", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:10:10.826Z", "type": "raw", "uuid": "a7cf27bb-23a3-4f08-bef1-22633514db07"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8893206Z\"},\"EventRecordID\":\"18207\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0xc74\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1936\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.session_id": "999", "object.process.fullpath": "C:\\Windows\\System32\\cmd.exe", "object.process.id": "3188", "object.process.name": "cmd.exe", "object.process.parent.id": "1264", "object.process.path": "C:\\Windows\\System32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-19T15:44:56.726Z", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "999", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:10:10.889Z", "type": "raw", "uuid": "4b969569-cc44-4df3-a0f2-cc9d3aab72d5"} + + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"_rule": "Subrule_AutoElevate_detection", "action": "start", "alert.context": "PID_1264_start_process_wusa.exe_with_TokenElevationTypeLimited_then_PID_1264_start_process_wusa.exe_with_TokenElevationTypeFull", "alert.key": "TokenElevationTypeLimited->TokenElevationTypeFull", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Elevation Control Mechanism", "correlation_name": "Subrule_AutoElevate_detection", "correlation_type": "event", "count": 1, "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "low", "incident.aggregation.key": "Subrule_AutoElevate_detection|iewin7|c:\\windows\\system32\\wusa.exe", "incident.aggregation.timeout": 3600, "incident.category": "Undefined", "incident.severity": "low", "normalized": true, "object": "process", "object.account.domain": "iewin7", "object.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "object.account.name": "ieuser", "object.account.privileges": "TokenElevationTypeLimited", "object.account.session_id": "79717", "object.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "object.process.id": "1576", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "C:\\Windows\\System32\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_conds_1.tc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_conds_1.tc new file mode 100644 index 00000000..4334de50 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_conds_1.tc @@ -0,0 +1 @@ +expect 1 {"correlation_name": "Subrule_AutoElevate_detection"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_conds_2.tc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_conds_2.tc new file mode 100644 index 00000000..4334de50 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_conds_2.tc @@ -0,0 +1 @@ +expect 1 {"correlation_name": "Subrule_AutoElevate_detection"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_conds_3.tc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_conds_3.tc new file mode 100644 index 00000000..4334de50 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_conds_3.tc @@ -0,0 +1 @@ +expect 1 {"correlation_name": "Subrule_AutoElevate_detection"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_conds_4.tc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_conds_4.tc new file mode 100644 index 00000000..4334de50 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_conds_4.tc @@ -0,0 +1 @@ +expect 1 {"correlation_name": "Subrule_AutoElevate_detection"} \ No newline at end of file From 531425b111d4a58f8360164164b722a4dbb653fe Mon Sep 17 00:00:00 2001 From: Andru Date: Fri, 23 Jun 2023 17:24:47 +0300 Subject: [PATCH 6/9] =?UTF-8?q?=D0=A3=D0=B4=D0=B0=D0=BB=D0=B5=D0=BD=D0=BE?= =?UTF-8?q?=20=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D0=BE=20Subrule=5FCreat?= =?UTF-8?q?eChildProcess=5Fwith=5FDifferentTokens.=20=D0=97=D0=B0=D0=BC?= =?UTF-8?q?=D0=B5=D1=81=D1=82=D0=BE=20=D0=BD=D0=B5=D0=B3=D0=BE=20=D1=80?= =?UTF-8?q?=D0=B0=D0=B7=D1=80=D0=B0=D0=B1=D0=BE=D1=82=D0=B0=D0=BD=D0=BE=20?= =?UTF-8?q?Subrule=5FAutoElevate=5Fdetection.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../i18n/i18n_en.yaml | 4 - .../i18n/i18n_ru.yaml | 4 - .../metainfo.yaml | 28 ----- .../rule.co | 103 ------------------ .../tests/raw_events_1.json | 2 - .../tests/raw_events_2.json | 2 - .../tests/raw_events_3.json | 3 - .../tests/test_1.sc | 6 - .../tests/test_2.sc | 8 -- .../tests/test_3.sc | 9 -- .../tests/test_conds_1.tc | 1 - .../tests/test_conds_2.tc | 1 - .../tests/test_conds_3.tc | 1 - 13 files changed, 172 deletions(-) delete mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/i18n/i18n_en.yaml delete mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/i18n/i18n_ru.yaml delete mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/metainfo.yaml delete mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/rule.co delete mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/raw_events_1.json delete mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/raw_events_2.json delete mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/raw_events_3.json delete mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_1.sc delete mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_2.sc delete mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_3.sc delete mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_conds_1.tc delete mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_conds_2.tc delete mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_conds_3.tc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/i18n/i18n_en.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/i18n/i18n_en.yaml deleted file mode 100644 index a91a9421..00000000 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/i18n/i18n_en.yaml +++ /dev/null @@ -1,4 +0,0 @@ -Description: 'The launch of child processes with different Access Tokens was detected' -EventDescriptions: - - LocalizationId: 'corrname_Subrule_CreateChildProcess_with_DifferentTokens' - EventDescription: 'Process with PID {object.process.parent.id} escalate own privileges:{alert.key} at host {event_src.host}' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/i18n/i18n_ru.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/i18n/i18n_ru.yaml deleted file mode 100644 index 6ff3a74f..00000000 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/i18n/i18n_ru.yaml +++ /dev/null @@ -1,4 +0,0 @@ -Description: 'Обнаружен запуск дочерних процессов с различными маркерами доступа (Access Tokens)' -EventDescriptions: - - LocalizationId: 'corrname_Subrule_CreateChildProcess_with_DifferentTokens' - EventDescription: 'Процесс с идентификатором {object.process.parent.id} повысил свои привилегии: {alert.key} на хосте {event_src.host}' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/metainfo.yaml deleted file mode 100644 index c87904be..00000000 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/metainfo.yaml +++ /dev/null @@ -1,28 +0,0 @@ -ObjectId: LOC-CR-206774439 -ContentAutoName: Subrule_CreateChildProcess_with_DifferentTokens -ExpertContext: - Created: 19.06.2023 - Updated: 19.06.2023 - KnowledgeHolders: - - driverenok - Usecases: - - Атакующие могут повышать привилегии путем манипуляций с Access Tokens - References: - - https://attack.mitre.org/techniques/T1134/ - DataSources: - - Provider: Microsoft-Windows-Security-Auditing - EventID: - - 4688 - - Provider: Microsoft-Windows-Sysmon - EventID: - - 1 -ContentRelations: - Implements: - ATTACK: - privilege-escalation: - - T1134 - defense-evasion: - - T1134 -EventDescriptions: - - Criteria: correlation_name = "Subrule_CreateChildProcess_with_DifferentTokens" - LocalizationId: corrname_Subrule_CreateChildProcess_with_DifferentTokens diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/rule.co b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/rule.co deleted file mode 100644 index aa28aaea..00000000 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/rule.co +++ /dev/null @@ -1,103 +0,0 @@ -event Process_Start_with_LimitedToken: - key: - event_src.host, object.process.parent.id - filter { - filter::NotFromCorrelator() and - filter::ProcessStart_Windows_any() and - subject.account.privileges == "TokenElevationTypeLimited" - } - -event Process_Start_with_FullToken: - key: - event_src.host, object.process.parent.id - filter { - filter::NotFromCorrelator() and - filter::ProcessStart_Windows_any() and - in_list(["TokenElevationTypeFull", "TokenElevationTypeDefault"], subject.account.privileges) - } - -rule Subrule_CreateChildProcess_with_DifferentTokens: Process_Start_with_LimitedToken and Process_Start_with_FullToken with different subject.account.session_id - - init { - $labels = "w_auto" - } - - on Process_Start_with_LimitedToken { - $alert.key = subject.account.privileges - $alert.context = "PID_" + object.process.parent.id + "_start_process_" + object.process.name + "_with_" + subject.account.privileges - } - - on Process_Start_with_FullToken { - $subject.account.id = subject.account.id - $subject.account.name = subject.account.name - $subject.account.domain = subject.account.domain - $subject.account.fullname = subject.account.fullname - $subject.account.session_id = subject.account.session_id - $subject.account.privileges = subject.account.privileges - - $object.account.id = object.account.id - $object.account.session_id = object.account.session_id - $object.account.name = object.account.name - $object.account.domain = object.account.domain - $object.account.fullname = object.account.fullname - $object.account.privileges = subject.account.privileges - - $object.process.id = object.process.id - $object.process.name = object.process.name - $object.process.path = object.process.path - $object.process.fullpath = object.process.fullpath - $object.process.hash = object.process.hash - $object.process.hash.md5 = object.process.hash.md5 - $object.process.hash.sha1 = object.process.hash.sha1 - $object.process.hash.sha256 = object.process.hash.sha256 - $object.process.version = object.process.version - $object.process.cmdline = object.process.cmdline - $object.process.guid = object.process.guid - $object.process.meta = object.process.meta - $object.process.original_name = object.process.original_name - $object.process.cwd = object.process.cwd - $object.process.chain = object.process.chain - - $object.process.parent.id = object.process.parent.id - $object.process.parent.name = object.process.parent.name - $object.process.parent.path = object.process.parent.path - $object.process.parent.fullpath = object.process.parent.fullpath - $object.process.parent.guid = object.process.parent.guid - $object.process.parent.cmdline = object.process.parent.cmdline - - $event_src.ip = event_src.ip - $event_src.hostname = event_src.hostname - $event_src.fqdn = event_src.fqdn - $event_src.host = event_src.host - $event_src.asset = event_src.asset - $event_src.vendor = event_src.vendor - $event_src.title = event_src.title - $event_src.subsys = event_src.subsys - $event_src.rule = event_src.rule - - $alert.key = $alert.key + "->" + subject.account.privileges - $alert.context = $alert.context + "_then_PID_" + object.process.parent.id + "_start_process_" + object.process.name + "_with_" + subject.account.privileges - } - -emit { - $correlation_type = "incident" - - $subject = "account" - $action = "escalate" - $object = "account" - $status = "success" - - $importance = "medium" - - $category.generic = "Attack" - $category.high = "Privilege Escalation" - $category.low = "Access Token Manipulation" - - $incident.aggregation.key = join([$correlation_name, lower($event_src.host), lower($object.process.parent.id)], "|") - $incident.aggregation.timeout = 2h - - $incident.severity = $importance - - $incident.category = "Undefined" - -} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/raw_events_1.json b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/raw_events_1.json deleted file mode 100644 index aa41a4bd..00000000 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/raw_events_1.json +++ /dev/null @@ -1,2 +0,0 @@ -{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.6080706Z\"},\"EventRecordID\":\"18197\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x13765\"},{\"Name\":\"NewProcessId\",\"text\":\"0x628\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-19T15:44:16.508Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"3f5255f8-2046-4ccc-8ab0-94241391249d"} -{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8268206Z\"},\"EventRecordID\":\"18205\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0x5b0\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1937\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-19T15:47:21.139Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"a7cf27bb-23a3-4f08-bef1-22633514db07"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/raw_events_2.json b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/raw_events_2.json deleted file mode 100644 index 20b78620..00000000 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/raw_events_2.json +++ /dev/null @@ -1,2 +0,0 @@ -{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.6080706Z\"},\"EventRecordID\":\"18197\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x13765\"},{\"Name\":\"NewProcessId\",\"text\":\"0x628\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-19T15:44:16.508Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"3f5255f8-2046-4ccc-8ab0-94241391249d"} -{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8893206Z\"},\"EventRecordID\":\"18207\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0xc74\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1936\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-19T15:44:56.726Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"4b969569-cc44-4df3-a0f2-cc9d3aab72d5"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/raw_events_3.json b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/raw_events_3.json deleted file mode 100644 index 9a6dadf9..00000000 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/raw_events_3.json +++ /dev/null @@ -1,3 +0,0 @@ -{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.6080706Z\"},\"EventRecordID\":\"18197\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x13765\"},{\"Name\":\"NewProcessId\",\"text\":\"0x628\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-19T15:44:16.508Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"3f5255f8-2046-4ccc-8ab0-94241391249d"} -{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8268206Z\"},\"EventRecordID\":\"18205\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0x5b0\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1937\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-19T15:47:21.139Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"a7cf27bb-23a3-4f08-bef1-22633514db07"} -{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8893206Z\"},\"EventRecordID\":\"18207\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0xc74\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1936\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-19T15:44:56.726Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"4b969569-cc44-4df3-a0f2-cc9d3aab72d5"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_1.sc deleted file mode 100644 index 05e51516..00000000 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_1.sc +++ /dev/null @@ -1,6 +0,0 @@ -# Здесь укажи какие нормализованные события (одно или несколько) ты подаёшь на вход правилу корреляции. -# События отделяются друг от друга символом новой строки. Каждое их них должно быть записано в строку. -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.6080706Z\"},\"EventRecordID\":\"18197\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x13765\"},{\"Name\":\"NewProcessId\",\"text\":\"0x628\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "iewin7", "object.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "object.account.name": "ieuser", "object.account.session_id": "79717", "object.process.fullpath": "c:\\windows\\system32\\wusa.exe", "object.process.id": "1576", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-19T15:44:16.508Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "subject.account.name": "ieuser", "subject.account.privileges": "TokenElevationTypeLimited", "subject.account.session_id": "79717", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:10:10.608Z", "type": "raw", "uuid": "3f5255f8-2046-4ccc-8ab0-94241391249d"} -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8268206Z\"},\"EventRecordID\":\"18205\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0x5b0\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1937\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.session_id": "999", "object.process.fullpath": "c:\\windows\\system32\\wusa.exe", "object.process.id": "1456", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-19T15:47:21.139Z", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:10:10.826Z", "type": "raw", "uuid": "a7cf27bb-23a3-4f08-bef1-22633514db07"} - -expect 1 {"_rule": "Subrule_CreateChildProcess_with_DifferentTokens", "action": "escalate", "alert.context": "PID_1264_start_process_wusa.exe_with_TokenElevationTypeLimited_then_PID_1264_start_process_wusa.exe_with_TokenElevationTypeFull", "alert.key": "TokenElevationTypeLimited->TokenElevationTypeFull", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Access Token Manipulation", "correlation_name": "Subrule_CreateChildProcess_with_DifferentTokens", "correlation_type": "incident", "count": 1, "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "medium", "incident.aggregation.key": "Subrule_CreateChildProcess_with_DifferentTokens|iewin7|1264", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "normalized": true, "object": "account", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.privileges": "TokenElevationTypeFull", "object.account.session_id": "999", "object.process.fullpath": "c:\\windows\\system32\\wusa.exe", "object.process.id": "1456", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_2.sc deleted file mode 100644 index f3a6f847..00000000 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_2.sc +++ /dev/null @@ -1,8 +0,0 @@ -# Здесь укажи какие нормализованные события (одно или несколько) ты подаёшь на вход правилу корреляции. -# События отделяются друг от друга символом новой строки. Каждое их них должно быть записано в строку. -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.6080706Z\"},\"EventRecordID\":\"18197\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x13765\"},{\"Name\":\"NewProcessId\",\"text\":\"0x628\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "iewin7", "object.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "object.account.name": "ieuser", "object.account.session_id": "79717", "object.process.fullpath": "c:\\windows\\system32\\wusa.exe", "object.process.id": "1576", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-19T15:44:16.508Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "subject.account.name": "ieuser", "subject.account.privileges": "TokenElevationTypeLimited", "subject.account.session_id": "79717", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:10:10.608Z", "type": "raw", "uuid": "3f5255f8-2046-4ccc-8ab0-94241391249d"} -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8893206Z\"},\"EventRecordID\":\"18207\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0xc74\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1936\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.session_id": "999", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.id": "3188", "object.process.name": "cmd.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-19T15:44:56.726Z", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "999", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:10:10.889Z", "type": "raw", "uuid": "4b969569-cc44-4df3-a0f2-cc9d3aab72d5"} - - -# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь -expect 1 {"_rule": "Subrule_CreateChildProcess_with_DifferentTokens", "action": "escalate", "alert.context": "PID_1264_start_process_wusa.exe_with_TokenElevationTypeLimited_then_PID_1264_start_process_cmd.exe_with_TokenElevationTypeDefault", "alert.key": "TokenElevationTypeLimited->TokenElevationTypeDefault", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Access Token Manipulation", "correlation_name": "Subrule_CreateChildProcess_with_DifferentTokens", "correlation_type": "incident", "count": 1, "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "medium", "incident.aggregation.key": "Subrule_CreateChildProcess_with_DifferentTokens|iewin7|1264", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "normalized": true, "object": "account", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.privileges": "TokenElevationTypeDefault", "object.account.session_id": "999", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.id": "3188", "object.process.name": "cmd.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "999"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_3.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_3.sc deleted file mode 100644 index 622ad2be..00000000 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_3.sc +++ /dev/null @@ -1,9 +0,0 @@ -# Здесь укажи какие нормализованные события (одно или несколько) ты подаёшь на вход правилу корреляции. -# События отделяются друг от друга символом новой строки. Каждое их них должно быть записано в строку. -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.6080706Z\"},\"EventRecordID\":\"18197\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3583694148-1414552638-2922671848-1000\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEUser\"},{\"Name\":\"SubjectDomainName\",\"text\":\"IEWIN7\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x13765\"},{\"Name\":\"NewProcessId\",\"text\":\"0x628\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "iewin7", "object.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "object.account.name": "ieuser", "object.account.session_id": "79717", "object.process.fullpath": "c:\\windows\\system32\\wusa.exe", "object.process.id": "1576", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-19T15:44:16.508Z", "status": "success", "subject": "account", "subject.account.domain": "iewin7", "subject.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "subject.account.name": "ieuser", "subject.account.privileges": "TokenElevationTypeLimited", "subject.account.session_id": "79717", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:10:10.608Z", "type": "raw", "uuid": "3f5255f8-2046-4ccc-8ab0-94241391249d"} -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8268206Z\"},\"EventRecordID\":\"18205\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0x5b0\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1937\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.session_id": "999", "object.process.fullpath": "c:\\windows\\system32\\wusa.exe", "object.process.id": "1456", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-19T15:47:21.139Z", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:10:10.826Z", "type": "raw", "uuid": "a7cf27bb-23a3-4f08-bef1-22633514db07"} -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8893206Z\"},\"EventRecordID\":\"18207\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0xc74\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1936\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.session_id": "999", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.id": "3188", "object.process.name": "cmd.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-19T15:44:56.726Z", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "999", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:10:10.889Z", "type": "raw", "uuid": "4b969569-cc44-4df3-a0f2-cc9d3aab72d5"} - - -# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь -expect 1 {"_rule": "Subrule_CreateChildProcess_with_DifferentTokens", "action": "escalate", "alert.context": "PID_1264_start_process_wusa.exe_with_TokenElevationTypeLimited_then_PID_1264_start_process_wusa.exe_with_TokenElevationTypeFull", "alert.key": "TokenElevationTypeLimited->TokenElevationTypeFull", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Access Token Manipulation", "correlation_name": "Subrule_CreateChildProcess_with_DifferentTokens", "correlation_type": "incident", "count": 1, "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "medium", "incident.aggregation.key": "Subrule_CreateChildProcess_with_DifferentTokens|iewin7|1264", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "normalized": true, "object": "account", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.privileges": "TokenElevationTypeFull", "object.account.session_id": "999", "object.process.fullpath": "c:\\windows\\system32\\wusa.exe", "object.process.id": "1456", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_conds_1.tc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_conds_1.tc deleted file mode 100644 index e3ddd034..00000000 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_conds_1.tc +++ /dev/null @@ -1 +0,0 @@ -expect 1 {"correlation_name": "Subrule_CreateChildProcess_with_DifferentTokens"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_conds_2.tc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_conds_2.tc deleted file mode 100644 index e3ddd034..00000000 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_conds_2.tc +++ /dev/null @@ -1 +0,0 @@ -expect 1 {"correlation_name": "Subrule_CreateChildProcess_with_DifferentTokens"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_conds_3.tc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_conds_3.tc deleted file mode 100644 index e3ddd034..00000000 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_CreateChildProcess_with_DifferentTokens/tests/test_conds_3.tc +++ /dev/null @@ -1 +0,0 @@ -expect 1 {"correlation_name": "Subrule_CreateChildProcess_with_DifferentTokens"} \ No newline at end of file From 70b8bb9edf2b73d10a5ef323f3f00f5891b59acb Mon Sep 17 00:00:00 2001 From: Andru Date: Mon, 26 Jun 2023 17:56:51 +0300 Subject: [PATCH 7/9] Updated rule Subrule_AutoElevate_detection --- .../Subrule_AutoElevate_detection/metainfo.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/metainfo.yaml index 915a1801..b859049d 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/metainfo.yaml @@ -2,11 +2,11 @@ ObjectId: LOC-CR-124009838 ContentAutoName: Subrule_AutoElevate_detection ExpertContext: Created: 22.06.2023 - Updated: 23.06.2023 + Updated: 26.06.2023 KnowledgeHolders: - driverenok Usecases: - - "Легитимная активность, в результате которой процесс, имеющий в манифесте исполняемого файла опцию AutoElevate, запускаетс дважды: 1й запуск - с LimitedToken, 2й раз - с FullToken" + - "Легитимная активность, в результате которой процесс, имеющий в манифесте исполняемого файла опцию AutoElevate, запускается дважды: 1й запуск - с LimitedToken, 2й раз - с FullToken" Falsepositives: - Процессы, родителем которых является процесс explorer.exe и запускаются администраторами References: From 32ee2aeb40757afeb3527fc5e37a46933002c7f1 Mon Sep 17 00:00:00 2001 From: Andru Date: Tue, 25 Jul 2023 11:26:22 +0300 Subject: [PATCH 8/9] Added rule UAC_bypass_via_AccessToken_manipulation --- .../i18n/i18n_en.yaml | 4 + .../i18n/i18n_ru.yaml | 4 + .../metainfo.yaml | 26 ++++ .../rule.co | 136 ++++++++++++++++++ .../tests/raw_events_1.json | 1 + .../tests/test_1.sc | 7 + .../tests/test_2.sc | 7 + .../tests/test_conds_1.tc | 1 + 8 files changed, 186 insertions(+) create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/i18n/i18n_en.yaml create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/i18n/i18n_ru.yaml create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/metainfo.yaml create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/rule.co create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/raw_events_1.json create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/test_1.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/test_2.sc create mode 100644 packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/test_conds_1.tc diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/i18n/i18n_en.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/i18n/i18n_en.yaml new file mode 100644 index 00000000..6b46ee29 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/i18n/i18n_en.yaml @@ -0,0 +1,4 @@ +Description: 'UAC bypass was detected via AccessToken manipulation' +EventDescriptions: + - LocalizationId: 'corrname_UAC_bypass_via_AccessToken_manipulation' + EventDescription: 'Process {object.process.name} started by process {subject.process.name} with AutoElevation flag behalf of the user {object.account.domain}\{object.account.name} at host {event_src.host}' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/i18n/i18n_ru.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/i18n/i18n_ru.yaml new file mode 100644 index 00000000..10db0a5d --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/i18n/i18n_ru.yaml @@ -0,0 +1,4 @@ +Description: 'Обнаружен обход UAC путем манипуляции с токенами доступа (Access Tokens)' +EventDescriptions: + - LocalizationId: 'corrname_UAC_bypass_via_AccessToken_manipulation' + EventDescription: 'Процесс {object.process.name} запущен процессом {subject.process.name} с автоматическим повышением привилегий от имени пользователя {object.account.domain}\{object.account.name} на хосте {event_src.host}' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/metainfo.yaml new file mode 100644 index 00000000..396e3aa3 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/metainfo.yaml @@ -0,0 +1,26 @@ +ObjectId: LOC-CR-193475549 +ContentAutoName: UAC_bypass_via_AccessToken_manipulation +ExpertContext: + Created: 26.06.2023 + Updated: 26.06.2023 + KnowledgeHolders: + - driverenok + Usecases: + - Атакующие могут обходить UAC путем манипуляции токенами доступа (Access Tokens) + References: + - https://attack.mitre.org/techniques/T1548/002/ + DataSources: + - Provider: Microsoft-Windows-Security-Auditing + EventID: + - 4688 + - Provider: Microsoft-Windows-Sysmon + EventID: + - 1 +ContentRelations: + Implements: + ATTACK: + privilege-escalation: + - T1548.002 +EventDescriptions: + - Criteria: correlation_name = "UAC_bypass_via_AccessToken_manipulation" + LocalizationId: corrname_UAC_bypass_via_AccessToken_manipulation diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/rule.co b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/rule.co new file mode 100644 index 00000000..45e6b8f9 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/rule.co @@ -0,0 +1,136 @@ +# Emulate: +# > git clone https://github.com/rootm0s/WinPwnage.git and install it +# > python .\main.py --use uac --id 11 --payload c:\\windows\\system32\\cmd.exe + +# How it works: +#cmd.exe (PID: 0xa18, SubjectName: Администратор, TokenElevationTypeLimited, LogonId: 0x3bc93) +#└── py.exe(PID: 0x988, SubjectName: Администратор, TokenElevationTypeLimited, LogonId: 0x3bc93) +# └── python.exe (PID: 0x944, SubjectName: Администратор, TokenElevationTypeLimited, LogonId: 0x3bc93) +# ├── wusa.exe (PID: 0x548, SubjectName: Администратор, TokenElevationTypeLimited, LogonId: 0x3bc93) +# │ ---> ProcessTerminate(wusa.exe, EventId: 4689, PID: 0x548, ExitStatus: 0xc000042c - STATUS_ELEVATION _REQUIRED) +# ├── wusa.exe (PID: 0xae0, SubjectName: WIN7-HACK$, TokenElevationTypeFull, LogonId: 0x3e7) +# │ ---> hToken = NtOpenProcessToken (ProcessName: wusa.exe, DesiredAccess: 0x02000000) +# │ ---> ProcessTerminate(EventId: 4689, wusa.exe, PID: 0xae0, ExitStatus: 0xffffffff) +# │ ---> newToken = DuplicateTokenEx (hToken, DesiredAccess: TOKEN_ALL_ACCESS) +# │ ---> ImpersonateLoggedOnUser(newToken) +# │ ---> CreteProcessWithToken(u"aaa", u"bbb", u"ccc", LOGON_NETCREDENTIALS_ONLY, EventId: 4624, LogonType: 9, SubjectName = TargetName, SubjectLogonId != TargetLogonId, LogonProcessName: seclogo) +# └── cmd.exe (PID: 0xb24, SubjectName: WIN7-HACK$, TokenElevationTypeDefault, LogonId: 0x3e7) + +event AutoElevate_Detect: + key: + event_src.host, subject.account.session_id, object.process.parent.id + filter { + correlation_name == "Subrule_AutoElevate_detection" + } + +event Process_Start: + key: + event_src.host, subject.account.session_id, object.process.parent.id + filter { + filter::NotFromCorrelator() + and filter::ProcessStart_Windows_any() and + in_list(["tokenelevationtypefull", "tokenelevationtypedefault"], lower(subject.account.privileges)) + } + +rule UAC_bypass_via_AccessToken_manipulation: (AutoElevate_Detect and Process_Start with different object.process.name) timer 10s + on AutoElevate_Detect { + $subject = "account" + + $subject.process.id = object.process.id + $subject.process.name = object.process.name + $subject.process.path = object.process.path + $subject.process.fullpath = object.process.fullpath + $subject.process.hash = object.process.hash + $subject.process.hash.md5 = object.process.hash.md5 + $subject.process.hash.sha1 = object.process.hash.sha1 + $subject.process.hash.sha256 = object.process.hash.sha256 + $subject.process.version = object.process.version + $subject.process.cmdline = object.process.cmdline + $subject.process.guid = object.process.guid + $subject.process.meta = object.process.meta + $subject.process.original_name = object.process.original_name + $subject.process.cwd = object.process.cwd + $subject.process.chain = object.process.chain + + $subject.process.parent.id = object.process.parent.id + $subject.process.parent.name = object.process.parent.name + $subject.process.parent.path = object.process.parent.path + $subject.process.parent.fullpath = object.process.parent.fullpath + $subject.process.parent.guid = object.process.parent.guid + $subject.process.parent.cmdline = object.process.parent.cmdline + + $action = "escalate" + + $object = "account" + + $object.account.id = object.account.id + $object.account.name = object.account.name + $object.account.domain = object.account.domain + $object.account.fullname = object.account.fullname + $object.account.session_id = object.account.session_id + $object.account.privileges = object.account.privileges + + $status = "success" + } + on Process_Start { + $subject.account.id = subject.account.id + $subject.account.name = subject.account.name + $subject.account.domain = subject.account.domain + $subject.account.fullname = subject.account.fullname + $subject.account.session_id = subject.account.session_id + $subject.account.privileges = subject.account.privileges + + $object.process.id = object.process.id + $object.process.name = object.process.name + $object.process.path = object.process.path + $object.process.fullpath = object.process.fullpath + $object.process.hash = object.process.hash + $object.process.hash.md5 = object.process.hash.md5 + $object.process.hash.sha1 = object.process.hash.sha1 + $object.process.hash.sha256 = object.process.hash.sha256 + $object.process.version = object.process.version + $object.process.cmdline = object.process.cmdline + $object.process.guid = object.process.guid + $object.process.meta = object.process.meta + $object.process.original_name = object.process.original_name + $object.process.cwd = object.process.cwd + $object.process.chain = object.process.chain + + $object.process.parent.id = object.process.parent.id + $object.process.parent.name = object.process.parent.name + $object.process.parent.path = object.process.parent.path + $object.process.parent.fullpath = object.process.parent.fullpath + $object.process.parent.guid = object.process.parent.guid + $object.process.parent.cmdline = object.process.parent.cmdline + + $event_src.ip = event_src.ip + $event_src.hostname = event_src.hostname + $event_src.fqdn = event_src.fqdn + $event_src.host = event_src.host + $event_src.asset = event_src.asset + $event_src.vendor = event_src.vendor + $event_src.title = event_src.title + $event_src.subsys = event_src.subsys + $event_src.rule = event_src.rule + + $alert.key = object.account.privileges + "->" + subject.account.privileges + $alert.context = "PID_" + object.process.parent.id + "with" + object.account.privileges + "_start_process_" + object.process.name + "_with_" + subject.account.privileges + } + +emit { + $correlation_type = "incident" + + $importance = "high" + + $category.generic = "Attack" + $category.high = "Privilege Escalation" + $category.low = "Abuse Elevation Control Mechanism: Bypass User Account Control" + + $incident.aggregation.key = join([$correlation_name, lower($event_src.host), lower($subject.account.id)], "|") + $incident.aggregation.timeout = 2h + + $incident.severity = $importance + + $incident.category = "Undefined" + +} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/raw_events_1.json b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/raw_events_1.json new file mode 100644 index 00000000..7cd33bc5 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/raw_events_1.json @@ -0,0 +1 @@ +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-20T15:36:08.5268577Z\"},\"EventRecordID\":\"1676642\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"44\"},\"Channel\":\"Security\",\"Computer\":\"win7-hack.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"WIN7-HACK$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0xb24\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\regedit.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1936\"},{\"Name\":\"ProcessId\",\"text\":\"0x944\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"c:\\\\windows\\\\regedit.exe\\\"\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-26T15:07:01.155Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"9ff5ba06-567e-43fe-bde9-c3416dde61cf"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/test_1.sc new file mode 100644 index 00000000..7623b25e --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/test_1.sc @@ -0,0 +1,7 @@ +# Здесь укажи какие нормализованные события (одно или несколько) ты подаёшь на вход правилу корреляции. +# События отделяются друг от друга символом новой строки. Каждое их них должно быть записано в строку. +{"_rule": "Subrule_AutoElevate_detection", "action": "start", "alert.context": "PID_2372_start_process_wusa.exe_with_TokenElevationTypeLimited_then_PID_2372_start_process_wusa.exe_with_TokenElevationTypeFull", "alert.key": "TokenElevationTypeLimited->TokenElevationTypeFull", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Elevation Control Mechanism", "correlation_name": "Subrule_AutoElevate_detection", "correlation_type": "event", "count": 1, "event_src.fqdn": "win7-hack.stand2008.local", "event_src.host": "win7-hack.stand2008.local", "event_src.hostname": "win7-hack", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "low", "incident.aggregation.key": "Subrule_AutoElevate_detection|win7-hack.stand2008.local|c:\\windows\\system32\\wusa.exe", "incident.aggregation.timeout": 3600, "incident.category": "Undefined", "incident.severity": "low", "normalized": true, "object": "process", "object.account.domain": "stand2008", "object.account.id": "S-1-5-21-3800063338-4262557262-2801230003-500", "object.account.name": "администратор", "object.account.privileges": "TokenElevationTypeLimited", "object.account.session_id": "244883", "object.process.cmdline": "\"C:\\Windows\\System32\\wusa.exe\"", "object.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "object.process.id": "1352", "object.process.name": "wusa.exe", "object.process.parent.id": "2372", "object.process.path": "C:\\Windows\\System32\\", "object.state": "0xc000042c", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "reason": "STATUS_ELEVATION_REQUIRED", "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-18", "subject.account.name": "win7-hack$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999", "time": "2023-06-20T15:36:05.526Z"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-20T15:36:08.5268577Z\"},\"EventRecordID\":\"1676642\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"44\"},\"Channel\":\"Security\",\"Computer\":\"win7-hack.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"WIN7-HACK$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0xb24\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\regedit.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1936\"},{\"Name\":\"ProcessId\",\"text\":\"0x944\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"c:\\\\windows\\\\regedit.exe\\\"\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "win7-hack.stand2008.local", "event_src.host": "win7-hack.stand2008.local", "event_src.hostname": "win7-hack", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "stand2008", "object.account.id": "S-1-5-18", "object.account.name": "win7-hack$", "object.account.session_id": "999", "object.process.cmdline": "\"c:\\windows\\regedit.exe\"", "object.process.fullpath": "c:\\windows\\regedit.exe", "object.process.id": "2852", "object.process.name": "regedit.exe", "object.process.parent.id": "2372", "object.process.path": "c:\\windows\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-26T15:07:01.155Z", "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-18", "subject.account.name": "win7-hack$", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "999", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-06-20T15:36:08.526Z", "type": "raw", "uuid": "9ff5ba06-567e-43fe-bde9-c3416dde61cf"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"_rule": "UAC_bypass_via_AccessToken_manipulation", "action": "escalate", "alert.context": "PID_2372with_start_process_regedit.exe_with_TokenElevationTypeDefault", "alert.key": "->TokenElevationTypeDefault", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Abuse Elevation Control Mechanism: Bypass User Account Control", "correlation_name": "UAC_bypass_via_AccessToken_manipulation", "correlation_type": "incident", "count": 1, "event_src.fqdn": "win7-hack.stand2008.local", "event_src.host": "win7-hack.stand2008.local", "event_src.hostname": "win7-hack", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "high", "incident.aggregation.key": "UAC_bypass_via_AccessToken_manipulation|win7-hack.stand2008.local|s-1-5-18", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "normalized": true, "object": "account", "object.account.domain": "stand2008", "object.account.id": "S-1-5-21-3800063338-4262557262-2801230003-500", "object.account.name": "администратор", "object.account.privileges": "TokenElevationTypeLimited", "object.account.session_id": "244883", "object.process.cmdline": "\"c:\\windows\\regedit.exe\"", "object.process.fullpath": "c:\\windows\\regedit.exe", "object.process.id": "2852", "object.process.name": "regedit.exe", "object.process.parent.id": "2372", "object.process.path": "c:\\windows\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-18", "subject.account.name": "win7-hack$", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "999", "subject.process.cmdline": "\"C:\\Windows\\System32\\wusa.exe\"", "subject.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "subject.process.id": "1352", "subject.process.name": "wusa.exe", "subject.process.parent.id": "2372", "subject.process.path": "C:\\Windows\\System32\\"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/test_2.sc new file mode 100644 index 00000000..7cf411c0 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/test_2.sc @@ -0,0 +1,7 @@ +# Здесь укажи какие нормализованные события (одно или несколько) ты подаёшь на вход правилу корреляции. +# События отделяются друг от друга символом новой строки. Каждое их них должно быть записано в строку. +{"_rule": "Subrule_AutoElevate_detection", "action": "start", "alert.context": "PID_1264_start_process_wusa.exe_with_TokenElevationTypeLimited_then_PID_1264_start_process_wusa.exe_with_TokenElevationTypeFull", "alert.key": "TokenElevationTypeLimited->TokenElevationTypeFull", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Elevation Control Mechanism", "correlation_name": "Subrule_AutoElevate_detection", "correlation_type": "event", "count": 1, "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "low", "incident.aggregation.key": "Subrule_AutoElevate_detection|iewin7|c:\\windows\\system32\\wusa.exe", "incident.aggregation.timeout": 3600, "incident.category": "Undefined", "incident.severity": "low", "normalized": true, "object": "process", "object.account.domain": "iewin7", "object.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "object.account.name": "ieuser", "object.account.privileges": "TokenElevationTypeLimited", "object.account.session_id": "79717", "object.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "object.process.id": "1576", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "C:\\Windows\\System32\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999", "time": "2019-05-11T17:10:10.889Z"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8893206Z\"},\"EventRecordID\":\"18207\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0xc74\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1936\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.session_id": "999", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.id": "3188", "object.process.name": "cmd.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-26T15:49:02.732Z", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "999", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:10:10.889Z", "type": "raw", "uuid": "047296b7-4a61-4d22-9edf-9824f223cce1"} + +# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь +expect 1 {"_rule": "UAC_bypass_via_AccessToken_manipulation", "action": "escalate", "alert.context": "PID_1264with_start_process_cmd.exe_with_TokenElevationTypeDefault", "alert.key": "->TokenElevationTypeDefault", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Abuse Elevation Control Mechanism: Bypass User Account Control", "correlation_name": "UAC_bypass_via_AccessToken_manipulation", "correlation_type": "incident", "count": 1, "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "high", "incident.aggregation.key": "UAC_bypass_via_AccessToken_manipulation|iewin7|s-1-5-18", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "normalized": true, "object": "account", "object.account.domain": "iewin7", "object.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "object.account.name": "ieuser", "object.account.privileges": "TokenElevationTypeLimited", "object.account.session_id": "79717", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.id": "3188", "object.process.name": "cmd.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "999", "subject.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "subject.process.id": "1576", "subject.process.name": "wusa.exe", "subject.process.parent.id": "1264", "subject.process.path": "C:\\Windows\\System32\\"} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/test_conds_1.tc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/test_conds_1.tc new file mode 100644 index 00000000..e5e27154 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/test_conds_1.tc @@ -0,0 +1 @@ +expect 1 {"correlation_name": "UAC_bypass_via_AccessToken_manipulation"} \ No newline at end of file From ed80898e257a0fbf7973853846a84bcb0ff72ae7 Mon Sep 17 00:00:00 2001 From: Andru Date: Tue, 25 Jul 2023 22:26:38 +0300 Subject: [PATCH 9/9] Updated Subrule_AutoElevate_detection and UAC_bypass_via_AccessToken_manipulation rules --- .../Subrule_AutoElevate_detection/tests/test_conds_4.tc | 2 +- .../metainfo.yaml | 2 +- .../UAC_bypass_via_AccessToken_manipulation/rule.co | 9 ++++++--- .../tests/raw_events_1.json | 3 +++ .../tests/test_1.sc | 2 +- .../tests/test_2.sc | 4 ++-- .../tests/test_conds_1.tc | 2 +- 7 files changed, 15 insertions(+), 9 deletions(-) diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_conds_4.tc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_conds_4.tc index 4334de50..390416da 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_conds_4.tc +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/Subrule_AutoElevate_detection/tests/test_conds_4.tc @@ -1 +1 @@ -expect 1 {"correlation_name": "Subrule_AutoElevate_detection"} \ No newline at end of file +expect 1 {"_rule": "Subrule_AutoElevate_detection", "action": "start", "alert.context": "PID_1264_start_process_wusa.exe_with_TokenElevationTypeLimited_then_PID_1264_start_process_wusa.exe_with_TokenElevationTypeFull", "alert.key": "TokenElevationTypeLimited->TokenElevationTypeFull", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Elevation Control Mechanism", "correlation_name": "Subrule_AutoElevate_detection", "correlation_type": "event", "count": 1, "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "low", "incident.aggregation.key": "Subrule_AutoElevate_detection|iewin7|c:\\windows\\system32\\wusa.exe", "incident.aggregation.timeout": 3600, "incident.category": "Undefined", "incident.severity": "low", "normalized": true, "object": "process", "object.account.domain": "iewin7", "object.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "object.account.name": "ieuser", "object.account.privileges": "TokenElevationTypeLimited", "object.account.session_id": "79717", "object.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "object.process.id": "1576", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "C:\\Windows\\System32\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/metainfo.yaml index 396e3aa3..1359a095 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/metainfo.yaml +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/metainfo.yaml @@ -2,7 +2,7 @@ ObjectId: LOC-CR-193475549 ContentAutoName: UAC_bypass_via_AccessToken_manipulation ExpertContext: Created: 26.06.2023 - Updated: 26.06.2023 + Updated: 25.07.2023 KnowledgeHolders: - driverenok Usecases: diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/rule.co b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/rule.co index 45e6b8f9..3fc838a9 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/rule.co +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/rule.co @@ -32,7 +32,7 @@ event Process_Start: in_list(["tokenelevationtypefull", "tokenelevationtypedefault"], lower(subject.account.privileges)) } -rule UAC_bypass_via_AccessToken_manipulation: (AutoElevate_Detect and Process_Start with different object.process.name) timer 10s +rule UAC_bypass_via_AccessToken_manipulation: (AutoElevate_Detect -> Process_Start with different object.process.name) timer 10s on AutoElevate_Detect { $subject = "account" @@ -71,6 +71,9 @@ rule UAC_bypass_via_AccessToken_manipulation: (AutoElevate_Detect and Process_St $object.account.privileges = object.account.privileges $status = "success" + + $alert.key = object.account.privileges + $alert.context = "PID_" + object.process.parent.id + "_with_" + object.account.privileges } on Process_Start { $subject.account.id = subject.account.id @@ -113,8 +116,8 @@ rule UAC_bypass_via_AccessToken_manipulation: (AutoElevate_Detect and Process_St $event_src.subsys = event_src.subsys $event_src.rule = event_src.rule - $alert.key = object.account.privileges + "->" + subject.account.privileges - $alert.context = "PID_" + object.process.parent.id + "with" + object.account.privileges + "_start_process_" + object.process.name + "_with_" + subject.account.privileges + $alert.key = $alert.key + "->" + subject.account.privileges + $alert.context = $alert.context + "_start_process_" + object.process.name + "_with_" + subject.account.privileges + "_via_" + $subject.process.name } emit { diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/raw_events_1.json b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/raw_events_1.json index 7cd33bc5..da5c3ed5 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/raw_events_1.json +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/raw_events_1.json @@ -1 +1,4 @@ +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-20T15:36:08.0268449Z\"},\"EventRecordID\":\"1676626\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"48\"},\"Channel\":\"Security\",\"Computer\":\"win7-hack.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3800063338-4262557262-2801230003-500\"},{\"Name\":\"SubjectUserName\",\"text\":\"Администратор\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3bc93\"},{\"Name\":\"NewProcessId\",\"text\":\"0x548\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x944\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\System32\\\\wusa.exe\\\"\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-22T19:08:06.487Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"160e9a36-942b-464d-afeb-580ccdcc4b66"} +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4689\",\"Version\":\"0\",\"Level\":\"0\",\"Task\":\"13313\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-20T15:36:08.0424703Z\"},\"EventRecordID\":\"1676627\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"44\"},\"Channel\":\"Security\",\"Computer\":\"win7-hack.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-3800063338-4262557262-2801230003-500\"},{\"Name\":\"SubjectUserName\",\"text\":\"Администратор\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3bc93\"},{\"Name\":\"Status\",\"text\":\"0xc000042c\"},{\"Name\":\"ProcessId\",\"text\":\"0x548\"},{\"Name\":\"ProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-22T19:08:06.489Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"3d36ab5b-d2f1-49a9-95f5-e28e35834b64"} +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-20T15:36:08.4643561Z\"},\"EventRecordID\":\"1676639\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"44\"},\"Channel\":\"Security\",\"Computer\":\"win7-hack.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"WIN7-HACK$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0xae0\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\wusa.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1937\"},{\"Name\":\"ProcessId\",\"text\":\"0x944\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"C:\\\\Windows\\\\System32\\\\wusa.exe\\\"\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-22T19:08:06.490Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"70ef4f25-dc12-4038-b382-80a6eae212d0"} {"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-20T15:36:08.5268577Z\"},\"EventRecordID\":\"1676642\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"44\"},\"Channel\":\"Security\",\"Computer\":\"win7-hack.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"WIN7-HACK$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0xb24\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\regedit.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1936\"},{\"Name\":\"ProcessId\",\"text\":\"0x944\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"c:\\\\windows\\\\regedit.exe\\\"\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2023-06-26T15:07:01.155Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"9ff5ba06-567e-43fe-bde9-c3416dde61cf"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/test_1.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/test_1.sc index 7623b25e..ec00fb9c 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/test_1.sc +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/test_1.sc @@ -4,4 +4,4 @@ {"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2023-06-20T15:36:08.5268577Z\"},\"EventRecordID\":\"1676642\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"44\"},\"Channel\":\"Security\",\"Computer\":\"win7-hack.stand2008.local\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"WIN7-HACK$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"STAND2008\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0xb24\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\regedit.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1936\"},{\"Name\":\"ProcessId\",\"text\":\"0x944\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"c:\\\\windows\\\\regedit.exe\\\"\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "win7-hack.stand2008.local", "event_src.host": "win7-hack.stand2008.local", "event_src.hostname": "win7-hack", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "stand2008", "object.account.id": "S-1-5-18", "object.account.name": "win7-hack$", "object.account.session_id": "999", "object.process.cmdline": "\"c:\\windows\\regedit.exe\"", "object.process.fullpath": "c:\\windows\\regedit.exe", "object.process.id": "2852", "object.process.name": "regedit.exe", "object.process.parent.id": "2372", "object.process.path": "c:\\windows\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-26T15:07:01.155Z", "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-18", "subject.account.name": "win7-hack$", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "999", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2023-06-20T15:36:08.526Z", "type": "raw", "uuid": "9ff5ba06-567e-43fe-bde9-c3416dde61cf"} # Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь -expect 1 {"_rule": "UAC_bypass_via_AccessToken_manipulation", "action": "escalate", "alert.context": "PID_2372with_start_process_regedit.exe_with_TokenElevationTypeDefault", "alert.key": "->TokenElevationTypeDefault", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Abuse Elevation Control Mechanism: Bypass User Account Control", "correlation_name": "UAC_bypass_via_AccessToken_manipulation", "correlation_type": "incident", "count": 1, "event_src.fqdn": "win7-hack.stand2008.local", "event_src.host": "win7-hack.stand2008.local", "event_src.hostname": "win7-hack", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "high", "incident.aggregation.key": "UAC_bypass_via_AccessToken_manipulation|win7-hack.stand2008.local|s-1-5-18", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "normalized": true, "object": "account", "object.account.domain": "stand2008", "object.account.id": "S-1-5-21-3800063338-4262557262-2801230003-500", "object.account.name": "администратор", "object.account.privileges": "TokenElevationTypeLimited", "object.account.session_id": "244883", "object.process.cmdline": "\"c:\\windows\\regedit.exe\"", "object.process.fullpath": "c:\\windows\\regedit.exe", "object.process.id": "2852", "object.process.name": "regedit.exe", "object.process.parent.id": "2372", "object.process.path": "c:\\windows\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-18", "subject.account.name": "win7-hack$", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "999", "subject.process.cmdline": "\"C:\\Windows\\System32\\wusa.exe\"", "subject.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "subject.process.id": "1352", "subject.process.name": "wusa.exe", "subject.process.parent.id": "2372", "subject.process.path": "C:\\Windows\\System32\\"} +expect 1 {"_rule": "UAC_bypass_via_AccessToken_manipulation", "action": "escalate", "alert.context": "PID_2372_with_TokenElevationTypeLimited_start_process_regedit.exe_with_TokenElevationTypeDefault_via_wusa.exe", "alert.key": "TokenElevationTypeLimited->TokenElevationTypeDefault", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Abuse Elevation Control Mechanism: Bypass User Account Control", "correlation_name": "UAC_bypass_via_AccessToken_manipulation", "correlation_type": "incident", "count": 1, "event_src.fqdn": "win7-hack.stand2008.local", "event_src.host": "win7-hack.stand2008.local", "event_src.hostname": "win7-hack", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "high", "incident.aggregation.key": "UAC_bypass_via_AccessToken_manipulation|win7-hack.stand2008.local|s-1-5-18", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "normalized": true, "object": "account", "object.account.domain": "stand2008", "object.account.id": "S-1-5-21-3800063338-4262557262-2801230003-500", "object.account.name": "администратор", "object.account.privileges": "TokenElevationTypeLimited", "object.account.session_id": "244883", "object.process.cmdline": "\"c:\\windows\\regedit.exe\"", "object.process.fullpath": "c:\\windows\\regedit.exe", "object.process.id": "2852", "object.process.name": "regedit.exe", "object.process.parent.id": "2372", "object.process.path": "c:\\windows\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-18", "subject.account.name": "win7-hack$", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "999", "subject.process.cmdline": "\"C:\\Windows\\System32\\wusa.exe\"", "subject.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "subject.process.id": "1352", "subject.process.name": "wusa.exe", "subject.process.parent.id": "2372", "subject.process.path": "C:\\Windows\\System32\\"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/test_2.sc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/test_2.sc index 7cf411c0..6d9a4e6a 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/test_2.sc +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/test_2.sc @@ -1,7 +1,7 @@ # Здесь укажи какие нормализованные события (одно или несколько) ты подаёшь на вход правилу корреляции. # События отделяются друг от друга символом новой строки. Каждое их них должно быть записано в строку. {"_rule": "Subrule_AutoElevate_detection", "action": "start", "alert.context": "PID_1264_start_process_wusa.exe_with_TokenElevationTypeLimited_then_PID_1264_start_process_wusa.exe_with_TokenElevationTypeFull", "alert.key": "TokenElevationTypeLimited->TokenElevationTypeFull", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Elevation Control Mechanism", "correlation_name": "Subrule_AutoElevate_detection", "correlation_type": "event", "count": 1, "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "low", "incident.aggregation.key": "Subrule_AutoElevate_detection|iewin7|c:\\windows\\system32\\wusa.exe", "incident.aggregation.timeout": 3600, "incident.category": "Undefined", "incident.severity": "low", "normalized": true, "object": "process", "object.account.domain": "iewin7", "object.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "object.account.name": "ieuser", "object.account.privileges": "TokenElevationTypeLimited", "object.account.session_id": "79717", "object.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "object.process.id": "1576", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "C:\\Windows\\System32\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999", "time": "2019-05-11T17:10:10.889Z"} -{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8893206Z\"},\"EventRecordID\":\"18207\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0xc74\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1936\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.session_id": "999", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.id": "3188", "object.process.name": "cmd.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-26T15:49:02.732Z", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "999", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:10:10.889Z", "type": "raw", "uuid": "047296b7-4a61-4d22-9edf-9824f223cce1"} +{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.8893206Z\"},\"EventRecordID\":\"18207\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0xc74\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1936\"},{\"Name\":\"ProcessId\",\"text\":\"0x4f0\"},{\"Name\":\"CommandLine\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.session_id": "999", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.id": "3188", "object.process.name": "cmd.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-26T15:49:02.732Z", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "999", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:10:11.889Z", "type": "raw", "uuid": "047296b7-4a61-4d22-9edf-9824f223cce1"} # Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь -expect 1 {"_rule": "UAC_bypass_via_AccessToken_manipulation", "action": "escalate", "alert.context": "PID_1264with_start_process_cmd.exe_with_TokenElevationTypeDefault", "alert.key": "->TokenElevationTypeDefault", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Abuse Elevation Control Mechanism: Bypass User Account Control", "correlation_name": "UAC_bypass_via_AccessToken_manipulation", "correlation_type": "incident", "count": 1, "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "high", "incident.aggregation.key": "UAC_bypass_via_AccessToken_manipulation|iewin7|s-1-5-18", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "normalized": true, "object": "account", "object.account.domain": "iewin7", "object.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "object.account.name": "ieuser", "object.account.privileges": "TokenElevationTypeLimited", "object.account.session_id": "79717", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.id": "3188", "object.process.name": "cmd.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "999", "subject.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "subject.process.id": "1576", "subject.process.name": "wusa.exe", "subject.process.parent.id": "1264", "subject.process.path": "C:\\Windows\\System32\\"} +expect 1 {"_rule": "UAC_bypass_via_AccessToken_manipulation", "action": "escalate", "alert.context": "PID_1264_with_TokenElevationTypeLimited_start_process_cmd.exe_with_TokenElevationTypeDefault_via_wusa.exe", "alert.key": "TokenElevationTypeLimited->TokenElevationTypeDefault", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Abuse Elevation Control Mechanism: Bypass User Account Control", "correlation_name": "UAC_bypass_via_AccessToken_manipulation", "correlation_type": "incident", "count": 1, "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "high", "incident.aggregation.key": "UAC_bypass_via_AccessToken_manipulation|iewin7|s-1-5-18", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "normalized": true, "object": "account", "object.account.domain": "iewin7", "object.account.id": "S-1-5-21-3583694148-1414552638-2922671848-1000", "object.account.name": "ieuser", "object.account.privileges": "TokenElevationTypeLimited", "object.account.session_id": "79717", "object.process.fullpath": "c:\\windows\\system32\\cmd.exe", "object.process.id": "3188", "object.process.name": "cmd.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "999", "subject.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "subject.process.id": "1576", "subject.process.name": "wusa.exe", "subject.process.parent.id": "1264", "subject.process.path": "C:\\Windows\\System32\\"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/test_conds_1.tc b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/test_conds_1.tc index e5e27154..b7bd0cc0 100644 --- a/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/test_conds_1.tc +++ b/packages/windows_open_package/correlation_rules/mitre_attck_priv_esc/UAC_bypass_via_AccessToken_manipulation/tests/test_conds_1.tc @@ -1 +1 @@ -expect 1 {"correlation_name": "UAC_bypass_via_AccessToken_manipulation"} \ No newline at end of file +expect 1 {"_rule": "UAC_bypass_via_AccessToken_manipulation", "action": "escalate", "alert.context": "PID_2372_with_TokenElevationTypeLimited_start_process_regedit.exe_with_TokenElevationTypeDefault_via_wusa.exe", "alert.key": "TokenElevationTypeLimited->TokenElevationTypeDefault", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Abuse Elevation Control Mechanism: Bypass User Account Control", "correlation_name": "UAC_bypass_via_AccessToken_manipulation", "correlation_type": "incident", "count": 1, "event_src.fqdn": "win7-hack.stand2008.local", "event_src.host": "win7-hack.stand2008.local", "event_src.hostname": "win7-hack", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "high", "incident.aggregation.key": "UAC_bypass_via_AccessToken_manipulation|win7-hack.stand2008.local|s-1-5-18", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "high", "normalized": true, "object": "account", "object.account.domain": "stand2008", "object.account.id": "S-1-5-21-3800063338-4262557262-2801230003-500", "object.account.name": "администратор", "object.account.privileges": "TokenElevationTypeLimited", "object.account.session_id": "244883", "object.process.cmdline": "\"c:\\windows\\regedit.exe\"", "object.process.fullpath": "C:\\Windows\\regedit.exe", "object.process.id": "2852", "object.process.name": "regedit.exe", "object.process.parent.id": "2372", "object.process.path": "C:\\Windows\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "stand2008", "subject.account.id": "S-1-5-18", "subject.account.name": "win7-hack$", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "999", "subject.process.cmdline": "\"C:\\Windows\\System32\\wusa.exe\"", "subject.process.fullpath": "C:\\Windows\\System32\\wusa.exe", "subject.process.id": "1352", "subject.process.name": "wusa.exe", "subject.process.parent.id": "2372", "subject.process.path": "C:\\Windows\\System32\\"} \ No newline at end of file