Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -41,14 +41,16 @@ else
endif

object.process.id = maybe_number16($Data["NewProcessId"])
object.process.fullpath = lower($Data["NewProcessName"])
#object.process.fullpath = lower($Data["NewProcessName"])
object.process.fullpath = $Data["NewProcessName"]
$process_path = csv(object.process.fullpath, "\\", "")
object.process.name = $process_path[length($process_path) - 1]
object.process.path = strip(object.process.fullpath, "", object.process.name)
object.process.cmdline = $Data['CommandLine']

object.process.parent.id = maybe_number16($Data["ProcessId"])
object.process.parent.fullpath = lower($Data["ParentProcessName"])
#object.process.parent.fullpath = lower($Data["ParentProcessName"])
object.process.parent.fullpath = $Data["ParentProcessName"]
$process_parent_path = csv(object.process.parent.fullpath, "\\", "")
object.process.parent.name = $process_parent_path[length($process_parent_path) - 1]
object.process.parent.path = strip(object.process.parent.fullpath, "", object.process.parent.name)
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
Description: 'The launch of child processes with different Access Tokens was detected'
EventDescriptions:
- LocalizationId: 'corrname_AccessTokenManipulation_via_Consent'
EventDescription: 'Process with PID {object.process.parent.id} escalate own privileges:{alert.key} afted lauched (subject.process.name) process at host {event_src.host}'
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
Description: 'Обнаружен запуск дочерних процессов с различными маркерами доступа (Access Tokens).'
EventDescriptions:
- LocalizationId: 'corrname_AccessTokenManipulation_via_Consent'
EventDescription: 'Процесс с идентификатором {object.process.parent.id} повысил свои привилегии: {alert.key} после запуска полцесса {subject.process.name} на хосте {event_src.host}'
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
ObjectId: LOC-CR-330352538
ContentAutoName: AccessTokenManipulation_via_Consent
ExpertContext:
Created: 19.06.2023
Updated: 19.06.2023
KnowledgeHolders:
- driverenok
Usecases:
- Атакующие могут манипулировать маркерами доступа (Access Tokens) путем подмены dll, загружаемых в процесс consent.exe
References:
- https://attack.mitre.org/techniques/T1134/
- https://attack.mitre.org/techniques/T1548/002/
DataSources:
- Provider: Microsoft-Windows-Security-Auditing
EventID:
- 4688
- Provider: Microsoft-Windows-Sysmon
EventID:
- 1
ContentRelations:
Implements:
ATTACK:
privilege-escalation:
- T1134
- T1548.002
defense-evasion:
- T1134
- T1548.002
EventDescriptions:
- Criteria: correlation_name = "AccessTokenManipulation_via_Consent"
LocalizationId: corrname_AccessTokenManipulation_via_Consent
Original file line number Diff line number Diff line change
@@ -0,0 +1,118 @@
event Process_Start:
key:
event_src.host#, subject.account.session_id
filter {
filter::NotFromCorrelator() and
filter::ProcessStart_Windows_any() and
object.process.name == "consent.exe"
}

event Process_Start_with_DifferentTokens:
key:
event_src.host#, subject.account.session_id
filter {
correlation_name == "Subrule_CreateChildProcess_with_DifferentTokens"
}

rule AccessTokenManipulation_via_Consent: Process_Start and Process_Start_with_DifferentTokens #(Process_Start and ) with different object.process.parent.id within 10s

on Process_Start {
$object.account.name = subject.account.name
$object.account.domain = subject.account.domain
$object.account.fullname = subject.account.fullname
$object.account.id = subject.account.id
$object.account.session_id = subject.account.session_id
$object.account.privileges = subject.account.privileges

$event_src.ip = event_src.ip
$event_src.hostname = event_src.hostname
$event_src.fqdn = event_src.fqdn
$event_src.host = event_src.host
$event_src.asset = event_src.asset
$event_src.vendor = event_src.vendor
$event_src.title = event_src.title
$event_src.subsys = event_src.subsys
$event_src.rule = event_src.rule

$subject.process.id = object.process.id
$subject.process.name = object.process.name
$subject.process.path = object.process.path
$subject.process.fullpath = object.process.fullpath
$subject.process.hash = object.process.hash
$subject.process.hash.md5 = object.process.hash.md5
$subject.process.hash.sha1 = object.process.hash.sha1
$subject.process.hash.sha256 = object.process.hash.sha256
$subject.process.version = object.process.version
$subject.process.cmdline = object.process.cmdline
$subject.process.guid = object.process.guid
$subject.process.meta = object.process.meta
$subject.process.original_name = object.process.original_name
$subject.process.cwd = object.process.cwd
$subject.process.chain = object.process.chain
}

#on Process_Start {
# $subject.process.id = object.process.id
# $subject.process.name = object.process.name
# $subject.process.path = object.process.path
# $subject.process.fullpath = object.process.fullpath
# $subject.process.guid = object.process.guid
# $subject.process.cmdline = object.process.cmdline
#}

on Process_Start_with_DifferentTokens {
$subject.account.name = subject.account.name
$subject.account.domain = subject.account.domain
$subject.account.fullname = subject.account.fullname
$subject.account.session_id = subject.account.session_id
$subject.account.id = subject.account.id
$subject.account.privileges = subject.account.privileges

$object.process.id = object.process.id
$object.process.name = object.process.name
$object.process.path = object.process.path
$object.process.fullpath = object.process.fullpath
$object.process.hash = object.process.hash
$object.process.hash.md5 = object.process.hash.md5
$object.process.hash.sha1 = object.process.hash.sha1
$object.process.hash.sha256 = object.process.hash.sha256
$object.process.version = object.process.version
$object.process.cmdline = object.process.cmdline
$object.process.guid = object.process.guid
$object.process.meta = object.process.meta
$object.process.original_name = object.process.original_name
$object.process.cwd = object.process.cwd
$object.process.chain = object.process.chain

$object.process.parent.id = object.process.parent.id
$object.process.parent.name = object.process.parent.name
$object.process.parent.path = object.process.parent.path
$object.process.parent.fullpath = object.process.parent.fullpath
$object.process.parent.guid = object.process.parent.guid
$object.process.parent.cmdline = object.process.parent.cmdline

#$alert.key = $object.account.privileges + "->" $subject.account.privileges

}

emit {
$correlation_type = "incident"

$subject = "account"
$action = "escalate"
$object = "account"
$status = "success"

$importance = "medium"

$category.generic = "Attack"
$category.high = "Privilege Escalation"
$category.low = "Access Token Manipulation"

$incident.aggregation.key = join([$correlation_name, lower($event_src.host), lower($object.account.name)], "|")
$incident.aggregation.timeout = 2h

$incident.severity = $importance

$incident.category = "Undefined"
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# Здесь укажи какие нормализованные события (одно или несколько) ты подаёшь на вход правилу корреляции.
# События отделяются друг от друга символом новой строки. Каждое их них должно быть записано в строку.
{"action": "start", "body": "{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2019-05-11T17:10:10.6236956Z\"},\"EventRecordID\":\"18198\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"52\"},\"Channel\":\"Security\",\"Computer\":\"IEWIN7\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"IEWIN7$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"NewProcessId\",\"text\":\"0x7f0\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\consent.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1936\"},{\"Name\":\"ProcessId\",\"text\":\"0x3c8\"},{\"Name\":\"CommandLine\"}]}}}", "category.generic": "Process", "category.high": "Availability Management", "category.low": "Control", "event_src.category": "Operating system", "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "logcollector", "generator.version": "N26.0.2936", "id": "PT_Microsoft_Windows_eventlog_4688_A_new_process_has_been_created", "importance": "info", "input_id": "00000000-0000-0000-0000-000000000000", "mime": "application/x-pt-eventlog", "msgid": "4688", "normalized": true, "object": "process", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.session_id": "999", "object.process.fullpath": "c:\\windows\\system32\\consent.exe", "object.process.id": "2032", "object.process.name": "consent.exe", "object.process.parent.id": "968", "object.process.path": "c:\\windows\\system32\\", "recv_ipv4": "127.0.0.1", "recv_time": "2023-06-19T10:56:53.856Z", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeDefault", "subject.account.session_id": "999", "subject.state": "on behalf of oneself", "tag": "some_tag", "task_id": "00000000-0000-0000-0000-000000000000", "taxonomy_version": "26.0.215-release-26.0", "time": "2019-05-11T17:10:10.623Z", "type": "raw", "uuid": "d61e0e53-ae9d-40fa-8d93-152160bbac12"}
{"_rule": "Subrule_CreateChildProcess_with_DifferentTokens", "action": "escalate", "alert.context": "PID_1264_start_process_wusa.exe_with_TokenElevationTypeLimited_then_PID_1264_start_process_wusa.exe_with_TokenElevationTypeFull", "alert.key": "TokenElevationTypeLimited->TokenElevationTypeFull", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Access Token Manipulation", "correlation_name": "Subrule_CreateChildProcess_with_DifferentTokens", "correlation_type": "incident", "count": 1, "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "medium", "incident.aggregation.key": "Subrule_CreateChildProcess_with_DifferentTokens|iewin7|1264", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "normalized": true, "object": "account", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.privileges": "TokenElevationTypeFull", "object.account.session_id": "999", "object.process.fullpath": "c:\\windows\\system32\\wusa.exe", "object.process.id": "1456", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999", "time": "2019-05-11T17:10:15.623Z"}

# Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь
expect 1 {"_rule": "AccessTokenManipulation_via_Consent", "action": "escalate", "category.generic": "Attack", "category.high": "Privilege Escalation", "category.low": "Access Token Manipulation", "correlation_name": "AccessTokenManipulation_via_Consent", "correlation_type": "incident", "count": 1, "event_src.fqdn": "iewin7", "event_src.host": "iewin7", "event_src.hostname": "iewin7", "event_src.subsys": "Security", "event_src.title": "windows", "event_src.vendor": "microsoft", "generator.type": "correlationengine", "importance": "medium", "incident.aggregation.key": "AccessTokenManipulation_via_Consent|iewin7|iewin7$", "incident.aggregation.timeout": 7200, "incident.category": "Undefined", "incident.severity": "medium", "normalized": true, "object": "account", "object.account.domain": "workgroup", "object.account.id": "S-1-5-18", "object.account.name": "iewin7$", "object.account.privileges": "TokenElevationTypeDefault", "object.account.session_id": "999", "object.process.fullpath": "c:\\windows\\system32\\wusa.exe", "object.process.id": "1456", "object.process.name": "wusa.exe", "object.process.parent.id": "1264", "object.process.path": "c:\\windows\\system32\\", "origin_app_id": "00000000-0000-0000-0000-000000000005", "primary_siem_app_id": "00000000-0000-0000-0000-000000000005", "status": "success", "subject": "account", "subject.account.domain": "workgroup", "subject.account.id": "S-1-5-18", "subject.account.name": "iewin7$", "subject.account.privileges": "TokenElevationTypeFull", "subject.account.session_id": "999", "subject.process.fullpath": "c:\\windows\\system32\\consent.exe", "subject.process.id": "2032", "subject.process.name": "consent.exe", "subject.process.path": "c:\\windows\\system32\\"}
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
Description: 'AutoElevate process start was detected'
EventDescriptions:
- LocalizationId: 'corrname_Subrule_AutoElevate_detection'
EventDescription: 'Process {object.process.name} started with AutoElevation flag behalf of the user {object.account.domain}\{object.account.name} at host {event_src.host}'
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
Description: 'Обнаружен запуск процесса с автоматическим повышением привилегий (AutoElevate)'
EventDescriptions:
- LocalizationId: 'corrname_Subrule_AutoElevate_detection'
EventDescription: 'Процесс {object.process.name} запущен с автоматическим повышением привилегий от имени пользователя {object.account.domain}\{object.account.name} на хосте {event_src.host}'
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
ObjectId: LOC-CR-124009838
ContentAutoName: Subrule_AutoElevate_detection
ExpertContext:
Created: 22.06.2023
Updated: 26.06.2023
KnowledgeHolders:
- driverenok
Usecases:
- "Легитимная активность, в результате которой процесс, имеющий в манифесте исполняемого файла опцию AutoElevate, запускается дважды: 1й запуск - с LimitedToken, 2й раз - с FullToken"
Falsepositives:
- Процессы, родителем которых является процесс explorer.exe и запускаются администраторами
References:
- https://attack.mitre.org/techniques/T1548/
- https://github.com/rootm0s/WinPwnage
DataSources:
- Provider: Microsoft-Windows-Security-Auditing
EventID:
- 4688
- 4689
- Provider: Microsoft-Windows-Sysmon
EventID:
- 1
- 5
ContentRelations:
Implements:
ATTACK:
privilege-escalation:
- T1548
EventDescriptions:
- Criteria: correlation_name = "Subrule_AutoElevate_detection"
LocalizationId: corrname_Subrule_AutoElevate_detection
Loading