diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/3_Bits_created_job/formula.xp b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/3_Bits_created_job/formula.xp new file mode 100644 index 00000000..a1ae1249 --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/3_Bits_created_job/formula.xp @@ -0,0 +1,40 @@ +EVENTLOG = 'EventID="3"' +!COND = $Channel=="Microsoft-Windows-Bits-Client/Operational" and $Provider["Name"]=="Microsoft-Windows-Bits-Client" + +action = "create" +object = "task" +status = "success" + +object.name = $Data["jobTitle"] # Job name + +object.account.fullname = $Data["jobOwner"] +object.account.name = csv(object.account.fullname, "\\", "")[1] +object.account.domain = csv(object.account.fullname, "\\", "")[0] + +object.process.fullpath = $Data["processPath"] +$process_name = csv(object.process.fullpath, "\\", "") +object.process.name = $process_name[length($process_name) - 1] +object.process.id = $Data["processId"] + +object.id = $Data["jobId"] + +time = $TimeCreated["SystemTime"] + +msgid = $EventID + +$first_dot = find_substr($Computer, '.') +if $first_dot != null then + event_src.fqdn = lower($Computer) + event_src.hostname = lower(substr($Computer, 0, $first_dot)) +else + event_src.hostname = lower($Computer) +endif + +event_src.vendor = "microsoft" +event_src.title = "windows" +event_src.subsys = $Channel +event_src.category = "Operating system" +event_src.id = $Provider["Name"] + + +id = "PT_Microsoft_Windows_eventlog_3_Bits_created_job" \ No newline at end of file diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/3_Bits_created_job/i18n/i18n_en.yaml b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/3_Bits_created_job/i18n/i18n_en.yaml new file mode 100644 index 00000000..f83e22e1 --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/3_Bits_created_job/i18n/i18n_en.yaml @@ -0,0 +1,4 @@ +Description: 'A bitsadmin task has been created. Can be used to start a process' +EventDescriptions: + - LocalizationId: '3_Bits_created_job_1' + EventDescription: 'On the {event_src.host} host, the user {object.account.fullname} creates a bitsadmin task - {object.name}' diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/3_Bits_created_job/i18n/i18n_ru.yaml b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/3_Bits_created_job/i18n/i18n_ru.yaml new file mode 100644 index 00000000..37bf859f --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/3_Bits_created_job/i18n/i18n_ru.yaml @@ -0,0 +1,4 @@ +Description: 'Создана задача bitsadmin. Может использоваться для запуска процесса' +EventDescriptions: + - LocalizationId: '3_Bits_created_job_1' + EventDescription: 'На хосте {event_src.host} пользователем {object.account.fullname} cоздана задача bitsadmin - {object.name}' diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/3_Bits_created_job/metainfo.yaml b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/3_Bits_created_job/metainfo.yaml new file mode 100644 index 00000000..b217348b --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/3_Bits_created_job/metainfo.yaml @@ -0,0 +1,7 @@ +EventDescriptions: + - Criteria: id = "PT_Microsoft_Windows_eventlog_3_Bits_created_job" + LocalizationId: 3_Bits_created_job_1 +ObjectId: SEC-NF-553054921 +ExpertContext: + Created: 08.07.2024 + Updated: 09.07.2024 diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/3_Bits_created_job/tests/norm_1.js b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/3_Bits_created_job/tests/norm_1.js new file mode 100644 index 00000000..7547418e --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/3_Bits_created_job/tests/norm_1.js @@ -0,0 +1,22 @@ +{ + "action": "create", + "event_src.category": "Operating system", + "event_src.hostname": "msedgewin10", + "event_src.id": "Microsoft-Windows-Bits-Client", + "event_src.subsys": "Microsoft-Windows-Bits-Client/Operational", + "event_src.title": "windows", + "event_src.vendor": "microsoft", + "id": "PT_Microsoft_Windows_eventlog_3_Bits_created_job", + "msgid": "3", + "object": "task", + "object.account.domain": "MSEDGEWIN10", + "object.account.fullname": "MSEDGEWIN10\\IEUser", + "object.account.name": "IEUser", + "object.id": "78E48D71-6706-4BEF-BE13-DD6596AECB77", + "object.name": "C:\\Users\\IEUser\\AppData\\Local\\Temp\\{F1502BD5-ADFF-4123-9C07-0E4B02FCB037}-89.0.4389.82_87.0.4280.66_chrome_updater.exe", + "object.process.fullpath": "C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe", + "object.process.id": "2136", + "object.process.name": "GoogleUpdate.exe", + "status": "success", + "time": "2021-03-15T19:01:32.644Z" +} \ No newline at end of file diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/3_Bits_created_job/tests/norm_2.js b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/3_Bits_created_job/tests/norm_2.js new file mode 100644 index 00000000..9e26dfee --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/3_Bits_created_job/tests/norm_2.js @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/3_Bits_created_job/tests/raw_1.txt b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/3_Bits_created_job/tests/raw_1.txt new file mode 100644 index 00000000..d78ba4f1 --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/3_Bits_created_job/tests/raw_1.txt @@ -0,0 +1 @@ +{"Event":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event","System":{"Provider":{"Name":"Microsoft-Windows-Bits-Client","Guid":"EF1CC15B-46C1-414E-BB95-E76B077BD51E"},"EventID":"3","Version":"2","Level":"4","Task":"0","Opcode":"0","Keywords":"0x4000000000000000","TimeCreated":{"SystemTime":"2021-03-15T19:01:32.644326Z"},"EventRecordID":"9407","Correlation":null,"Execution":{"ProcessID":"8100","ThreadID":"1356"},"Channel":"Microsoft-Windows-Bits-Client/Operational","Computer":"MSEDGEWIN10","Security":{"UserID":"S-1-5-18"}},"EventData":{"Data":[{"Name":"jobTitle","text":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\{F1502BD5-ADFF-4123-9C07-0E4B02FCB037}-89.0.4389.82_87.0.4280.66_chrome_updater.exe"},{"Name":"jobId","text":"78E48D71-6706-4BEF-BE13-DD6596AECB77"},{"Name":"jobOwner","text":"MSEDGEWIN10\\IEUser"},{"Name":"processPath","text":"C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe"},{"Name":"processId","text":"2136"}]}}} diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/3_Bits_created_job/tests/raw_2.txt b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/3_Bits_created_job/tests/raw_2.txt new file mode 100644 index 00000000..470ceb18 --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/3_Bits_created_job/tests/raw_2.txt @@ -0,0 +1 @@ +{"Event":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event","System":{"Provider":{"Name":"Microsoft-Windows-Bits-Client","Guid":"EF1CC15B-46C1-414E-BB95-E76B077BD51E"},"EventID":"3","Version":"2","Level":"4","Task":"0","Opcode":"0","Keywords":"0x4000000000000000","TimeCreated":{"SystemTime":"2021-03-15T19:01:32.644326Z"},"EventRecordID":"9407","Correlation":null,"Execution":{"ProcessID":"8100","ThreadID":"1356"},"Channel":"Microsoft-Windows-Bits-Client/Operational","Computer":"MSEDGEWIN10","Security":{"UserID":"S-1-5-18"}},"EventData":{"Data":[{"Name":"jobTitle","text":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\{F1502BD5-ADFF-4123-9C07-0E4B02FCB037}-89.0.4389.82_87.0.4280.66_chrome_updater.exe"},{"Name":"jobId","text":"78E48D71-6706-4BEF-BE13-DD6596AECB77"},{"Name":"jobOwner","text":"MSEDGEWIN10\\IEUser"},{"Name":"processId","text":"2136"}]}}} diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/4_Bits_finished_job/formula.xp b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/4_Bits_finished_job/formula.xp new file mode 100644 index 00000000..49401d86 --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/4_Bits_finished_job/formula.xp @@ -0,0 +1,36 @@ +EVENTLOG = 'EventID="4"' +!COND = $Channel=="Microsoft-Windows-Bits-Client/Operational" and $Provider["Name"]=="Microsoft-Windows-Bits-Client" + +action = "stop" +object = "task" +status = "success" + +object.name = $Data["jobTitle"] # Job name + +object.account.fullname = $Data["User"] +object.account.name = csv(object.account.fullname, "\\", "")[1] +object.account.domain = csv(object.account.fullname, "\\", "")[0] +object.id = $Data["jobId"] + +count.bytes = $Data["bytesTransferred"] + +time = $TimeCreated["SystemTime"] + +msgid = $EventID + +$first_dot = find_substr($Computer, '.') +if $first_dot != null then + event_src.fqdn = lower($Computer) + event_src.hostname = lower(substr($Computer, 0, $first_dot)) +else + event_src.hostname = lower($Computer) +endif + +event_src.vendor = "microsoft" +event_src.title = "windows" +event_src.subsys = $Channel +event_src.category = "Operating system" +event_src.id = $Provider["Name"] + + +id = "PT_Microsoft_Windows_eventlog_4_Bits_finished_job" \ No newline at end of file diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/4_Bits_finished_job/i18n/i18n_en.yaml b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/4_Bits_finished_job/i18n/i18n_en.yaml new file mode 100644 index 00000000..66473a04 --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/4_Bits_finished_job/i18n/i18n_en.yaml @@ -0,0 +1,4 @@ +Description: 'The bitsadmin task has been completed' +EventDescriptions: + - LocalizationId: '4_Bits_finished_job_1' + EventDescription: 'The bitsadmin task is executed on the {event_src.host} host - {object.name} created by the user {object.account.fullname}' diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/4_Bits_finished_job/i18n/i18n_ru.yaml b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/4_Bits_finished_job/i18n/i18n_ru.yaml new file mode 100644 index 00000000..e43e7e6a --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/4_Bits_finished_job/i18n/i18n_ru.yaml @@ -0,0 +1,4 @@ +Description: 'Выполнена задача bitsadmin' +EventDescriptions: + - LocalizationId: '4_Bits_finished_job_1' + EventDescription: 'На хосте {event_src.host} выполнена задача bitsadmin - {object.name}, созданная пользователем {object.account.fullname}' diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/4_Bits_finished_job/metainfo.yaml b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/4_Bits_finished_job/metainfo.yaml new file mode 100644 index 00000000..26360ef1 --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/4_Bits_finished_job/metainfo.yaml @@ -0,0 +1,7 @@ +EventDescriptions: + - Criteria: id = "PT_Microsoft_Windows_eventlog_4_Bits_finished_job" + LocalizationId: 4_Bits_finished_job_1 +ObjectId: SEC-NF-679402722 +ExpertContext: + Created: 09.07.2024 + Updated: 09.07.2024 diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/4_Bits_finished_job/tests/norm_1.js b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/4_Bits_finished_job/tests/norm_1.js new file mode 100644 index 00000000..6b57416e --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/4_Bits_finished_job/tests/norm_1.js @@ -0,0 +1,20 @@ +{ + "action": "stop", + "count.bytes": 1304160, + "event_src.category": "Operating system", + "event_src.hostname": "msedgewin10", + "event_src.id": "Microsoft-Windows-Bits-Client", + "event_src.subsys": "Microsoft-Windows-Bits-Client/Operational", + "event_src.title": "windows", + "event_src.vendor": "microsoft", + "id": "PT_Microsoft_Windows_eventlog_4_Bits_finished_job", + "msgid": "4", + "object": "task", + "object.account.domain": "MSEDGEWIN10", + "object.account.fullname": "MSEDGEWIN10\\IEUser", + "object.account.name": "IEUser", + "object.id": "3774C88F-94AD-4FC0-A559-EA76B5D829D6", + "object.name": "C:\\Users\\IEUser\\AppData\\Local\\Temp\\{259DDBBE-DDD3-4590-8A2C-60211631093C}-GoogleUpdateSetup.exe", + "status": "success", + "time": "2021-03-15T18:55:51.612Z" +} \ No newline at end of file diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/4_Bits_finished_job/tests/raw_1.txt b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/4_Bits_finished_job/tests/raw_1.txt new file mode 100644 index 00000000..c6e0971c --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/4_Bits_finished_job/tests/raw_1.txt @@ -0,0 +1 @@ +{"Event":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event","System":{"Provider":{"Name":"Microsoft-Windows-Bits-Client","Guid":"EF1CC15B-46C1-414E-BB95-E76B077BD51E"},"EventID":"4","Version":"1","Level":"4","Task":"0","Opcode":"0","Keywords":"0x4000000000000000","TimeCreated":{"SystemTime":"2021-03-15T18:55:51.612966Z"},"EventRecordID":"9406","Correlation":null,"Execution":{"ProcessID":"8100","ThreadID":"8184"},"Channel":"Microsoft-Windows-Bits-Client/Operational","Computer":"MSEDGEWIN10","Security":{"UserID":"S-1-5-18"}},"EventData":{"Data":[{"Name":"User","text":"MSEDGEWIN10\\IEUser"},{"Name":"jobTitle","text":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\{259DDBBE-DDD3-4590-8A2C-60211631093C}-GoogleUpdateSetup.exe"},{"Name":"jobId","text":"3774C88F-94AD-4FC0-A559-EA76B5D829D6"},{"Name":"jobOwner","text":"MSEDGEWIN10\\IEUser"},{"Name":"fileCount","text":"1"},{"Name":"bytesTransferred","text":"1304160"},{"Name":"bytesTransferredFromPeer","text":"0"}]}}} \ No newline at end of file diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/59_Bits_started_job/formula.xp b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/59_Bits_started_job/formula.xp new file mode 100644 index 00000000..b520c54a --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/59_Bits_started_job/formula.xp @@ -0,0 +1,36 @@ +EVENTLOG = 'EventID="59"' +!COND = $Channel=="Microsoft-Windows-Bits-Client/Operational" and $Provider["Name"]=="Microsoft-Windows-Bits-Client" + +action = "start" +object = "task" +status = "success" + +object.name = $Data["name"] # Job name +object.path = $Data["url"] +object.value = $Data["fileLength"] +object.id = $Data["Id"] + +$domain = csv(object.path, "/", "")[2] +dst.fqdn = lower($domain) + +time = $TimeCreated["SystemTime"] + +msgid = $EventID + +$first_dot = find_substr($Computer, '.') +if $first_dot != null then + event_src.fqdn = lower($Computer) + event_src.hostname = lower(substr($Computer, 0, $first_dot)) +else + event_src.hostname = lower($Computer) +endif + +event_src.vendor = "microsoft" +event_src.title = "windows" +event_src.subsys = $Channel +event_src.category = "Operating system" +event_src.id = $Provider["Name"] + + +id = "PT_Microsoft_Windows_eventlog_59_Bits_started_job" + diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/59_Bits_started_job/i18n/i18n_en.yaml b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/59_Bits_started_job/i18n/i18n_en.yaml new file mode 100644 index 00000000..b5b3a00a --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/59_Bits_started_job/i18n/i18n_en.yaml @@ -0,0 +1,4 @@ +Description: 'The bitsadmin task has started' +EventDescriptions: + - LocalizationId: '59_Bits_started_job_1' + EventDescription: 'The bitsadmin task has started on the {event_src.host} host - {object.name}' diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/59_Bits_started_job/i18n/i18n_ru.yaml b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/59_Bits_started_job/i18n/i18n_ru.yaml new file mode 100644 index 00000000..bcd0c413 --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/59_Bits_started_job/i18n/i18n_ru.yaml @@ -0,0 +1,4 @@ +Description: 'Начато выполнение задачи bitsadmin' +EventDescriptions: + - LocalizationId: '59_Bits_started_job_1' + EventDescription: 'На хосте {event_src.host} началось выполнение задачи bitsadmin - {object.name}' diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/59_Bits_started_job/metainfo.yaml b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/59_Bits_started_job/metainfo.yaml new file mode 100644 index 00000000..c56ab02f --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/59_Bits_started_job/metainfo.yaml @@ -0,0 +1,7 @@ +EventDescriptions: + - Criteria: id = "PT_Microsoft_Windows_eventlog_59_Bits_started_job" + LocalizationId: 59_Bits_started_job_1 +ObjectId: SEC-NF-201142207 +ExpertContext: + Created: 09.07.2024 + Updated: 09.07.2024 diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/59_Bits_started_job/tests/norm_1.js b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/59_Bits_started_job/tests/norm_1.js new file mode 100644 index 00000000..c764e5bc --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/59_Bits_started_job/tests/norm_1.js @@ -0,0 +1,19 @@ +{ + "action": "start", + "dst.fqdn": "r5---sn-5hnedn7l.gvt1.com", + "event_src.category": "Operating system", + "event_src.hostname": "msedgewin10", + "event_src.id": "Microsoft-Windows-Bits-Client", + "event_src.subsys": "Microsoft-Windows-Bits-Client/Operational", + "event_src.title": "windows", + "event_src.vendor": "microsoft", + "id": "PT_Microsoft_Windows_eventlog_59_Bits_started_job", + "msgid": "59", + "object": "task", + "object.id": "3774C88F-94AD-4FC0-A559-EA76B5D829D6", + "object.name": "C:\\Users\\IEUser\\AppData\\Local\\Temp\\{259DDBBE-DDD3-4590-8A2C-60211631093C}-GoogleUpdateSetup.exe", + "object.path": "http://r5---sn-5hnedn7l.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe?cms_redirect=yes&mh=pH&mip=213.127.64.248&mm=28&mn=sn-5hnedn7l&ms=nvh&mt=1615834104&mv=m&mvi=5&pl=17&shardbypass=yes", + "object.value": "1304160", + "status": "success", + "time": "2021-03-15T18:55:38.049Z" +} \ No newline at end of file diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/59_Bits_started_job/tests/raw_1.txt b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/59_Bits_started_job/tests/raw_1.txt new file mode 100644 index 00000000..d1cbf2ee --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/59_Bits_started_job/tests/raw_1.txt @@ -0,0 +1 @@ +{"Event":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event","System":{"Provider":{"Name":"Microsoft-Windows-Bits-Client","Guid":"EF1CC15B-46C1-414E-BB95-E76B077BD51E"},"EventID":"59","Version":"1","Level":"4","Task":"0","Opcode":"1","Keywords":"0x4000000000000000","TimeCreated":{"SystemTime":"2021-03-15T18:55:38.049422Z"},"EventRecordID":"9404","Correlation":{"ActivityID":"6125DC77-C387-4662-BB2F-F3816D1B4629"},"Execution":{"ProcessID":"8100","ThreadID":"4424"},"Channel":"Microsoft-Windows-Bits-Client/Operational","Computer":"MSEDGEWIN10","Security":{"UserID":"S-1-5-18"}},"EventData":{"Data":[{"Name":"transferId","text":"6125DC77-C387-4662-BB2F-F3816D1B4629"},{"Name":"name","text":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\{259DDBBE-DDD3-4590-8A2C-60211631093C}-GoogleUpdateSetup.exe"},{"Name":"Id","text":"3774C88F-94AD-4FC0-A559-EA76B5D829D6"},{"Name":"url","text":"http://r5---sn-5hnedn7l.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe?cms_redirect=yes&mh=pH&mip=213.127.64.248&mm=28&mn=sn-5hnedn7l&ms=nvh&mt=1615834104&mv=m&mvi=5&pl=17&shardbypass=yes"},{"Name":"peer"},{"Name":"fileTime","text":"2021-01-22T06:31:14.000000Z"},{"Name":"fileLength","text":"1304160"},{"Name":"bytesTotal","text":"1304160"},{"Name":"bytesTransferred","text":"0"},{"Name":"bytesTransferredFromPeer","text":"0"}]}}} \ No newline at end of file diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/5_Bits_cancel_job/formula.xp b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/5_Bits_cancel_job/formula.xp new file mode 100644 index 00000000..61e1ca8f --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/5_Bits_cancel_job/formula.xp @@ -0,0 +1,35 @@ +EVENTLOG = 'EventID="5"' +!COND = $Channel=="Microsoft-Windows-Bits-Client/Operational" and $Provider["Name"]=="Microsoft-Windows-Bits-Client" + +action = "start" +object = "task" +status = "failure" + +object.name = $Data["jobTitle"] # Job name + +object.account.fullname = $Data["User"] +object.account.name = csv(object.account.fullname, "\\", "")[1] +object.account.domain = csv(object.account.fullname, "\\", "")[0] +object.id = $Data["jobId"] + +time = $TimeCreated["SystemTime"] + +msgid = $EventID + +$first_dot = find_substr($Computer, '.') +if $first_dot != null then + event_src.fqdn = lower($Computer) + event_src.hostname = lower(substr($Computer, 0, $first_dot)) +else + event_src.hostname = lower($Computer) +endif + +event_src.vendor = "microsoft" +event_src.title = "windows" +event_src.subsys = $Channel +event_src.category = "Operating system" +event_src.id = $Provider["Name"] + + +id = "PT_Microsoft_Windows_eventlog_5_Bits_cancel_job" + diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/5_Bits_cancel_job/i18n/i18n_en.yaml b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/5_Bits_cancel_job/i18n/i18n_en.yaml new file mode 100644 index 00000000..e5a4fb41 --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/5_Bits_cancel_job/i18n/i18n_en.yaml @@ -0,0 +1,4 @@ +Description: 'The bitsadmin task has been canceled' +EventDescriptions: + - LocalizationId: '5_Bits_cancel_job_1' + EventDescription: 'The bitsadmin task has been canceled on the {event_src.host} host - {object.name } created by the user {object.account.fullname}' diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/5_Bits_cancel_job/i18n/i18n_ru.yaml b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/5_Bits_cancel_job/i18n/i18n_ru.yaml new file mode 100644 index 00000000..a28ef5b8 --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/5_Bits_cancel_job/i18n/i18n_ru.yaml @@ -0,0 +1,4 @@ +Description: 'Отменена задача bitsadmin' +EventDescriptions: + - LocalizationId: '5_Bits_cancel_job_1' + EventDescription: 'На хосте {event_src.host} отменена задача bitsadmin - {object.name}, созданная пользователем {object.account.fullname}' diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/5_Bits_cancel_job/metainfo.yaml b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/5_Bits_cancel_job/metainfo.yaml new file mode 100644 index 00000000..5e560b25 --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/5_Bits_cancel_job/metainfo.yaml @@ -0,0 +1,7 @@ +EventDescriptions: + - Criteria: id = "PT_Microsoft_Windows_eventlog_5_Bits_cancel_job" + LocalizationId: 5_Bits_cancel_job_1 +ObjectId: SEC-NF-157405267 +ExpertContext: + Created: 09.07.2024 + Updated: 09.07.2024 diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/5_Bits_cancel_job/tests/norm_1.js b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/5_Bits_cancel_job/tests/norm_1.js new file mode 100644 index 00000000..bfa5ea07 --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/5_Bits_cancel_job/tests/norm_1.js @@ -0,0 +1,19 @@ +{ + "action": "start", + "event_src.category": "Operating system", + "event_src.hostname": "msedgewin10", + "event_src.id": "Microsoft-Windows-Bits-Client", + "event_src.subsys": "Microsoft-Windows-Bits-Client/Operational", + "event_src.title": "windows", + "event_src.vendor": "microsoft", + "id": "PT_Microsoft_Windows_eventlog_5_Bits_cancel_job", + "msgid": "5", + "object": "task", + "object.account.domain": "MSEDGEWIN10", + "object.account.fullname": "MSEDGEWIN10\\IEUser", + "object.account.name": "IEUser", + "object.id": "D0CE1896-2836-4D3C-BF5C-C429B006A7C5", + "object.name": "6bfd95a1.png", + "status": "failure", + "time": "2021-03-15T18:50:22.964Z" +} \ No newline at end of file diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/5_Bits_cancel_job/tests/raw_1.txt b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/5_Bits_cancel_job/tests/raw_1.txt new file mode 100644 index 00000000..a8a8f7c3 --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/5_Bits_cancel_job/tests/raw_1.txt @@ -0,0 +1 @@ +{"Event":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event","System":{"Provider":{"Name":"Microsoft-Windows-Bits-Client","Guid":"EF1CC15B-46C1-414E-BB95-E76B077BD51E"},"EventID":"5","Version":"0","Level":"4","Task":"0","Opcode":"0","Keywords":"0x4000000000000000","TimeCreated":{"SystemTime":"2021-03-15T18:50:22.964064Z"},"EventRecordID":"9376","Correlation":null,"Execution":{"ProcessID":"8100","ThreadID":"1936"},"Channel":"Microsoft-Windows-Bits-Client/Operational","Computer":"MSEDGEWIN10","Security":{"UserID":"S-1-5-21-3461203602-4096304019-2269080069-1000"}},"EventData":{"Data":[{"Name":"User","text":"MSEDGEWIN10\\IEUser"},{"Name":"jobTitle","text":"6bfd95a1.png"},{"Name":"jobId","text":"D0CE1896-2836-4D3C-BF5C-C429B006A7C5"},{"Name":"jobOwner","text":"MSEDGEWIN10\\IEUser"},{"Name":"fileCount","text":"1"}]}}} diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/60_Bits_stop_job/formula.xp b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/60_Bits_stop_job/formula.xp new file mode 100644 index 00000000..6dcce096 --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/60_Bits_stop_job/formula.xp @@ -0,0 +1,37 @@ +EVENTLOG = 'EventID="60"' +!COND = $Channel=="Microsoft-Windows-Bits-Client/Operational" and $Provider["Name"]=="Microsoft-Windows-Bits-Client" + +action = "stop" +object = "task" +status = "success" + +object.name = $Data["name"] # Job name +object.path = $Data["url"] +object.value = $Data["fileLength"] +object.id = $Data["Id"] + +$domain = csv(object.path, "/", "")[2] +dst.fqdn = lower($domain) + +count.bytes_in = $Data["bytesTransferred"] + +time = $TimeCreated["SystemTime"] + +msgid = $EventID + +$first_dot = find_substr($Computer, '.') +if $first_dot != null then + event_src.fqdn = lower($Computer) + event_src.hostname = lower(substr($Computer, 0, $first_dot)) +else + event_src.hostname = lower($Computer) +endif + +event_src.vendor = "microsoft" +event_src.title = "windows" +event_src.subsys = $Channel +event_src.category = "Operating system" +event_src.id = $Provider["Name"] + + +id = "PT_Microsoft_Windows_eventlog_60_Bits_stop_job" \ No newline at end of file diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/60_Bits_stop_job/i18n/i18n_en.yaml b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/60_Bits_stop_job/i18n/i18n_en.yaml new file mode 100644 index 00000000..77afd5a8 --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/60_Bits_stop_job/i18n/i18n_en.yaml @@ -0,0 +1,4 @@ +Description: 'bitsadmin task has been stopped' +EventDescriptions: + - LocalizationId: '60_Bits_stop_job_1' + EventDescription: 'The bitsadmin task has been stopped on the {event_src.host} host - {object.name}' diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/60_Bits_stop_job/i18n/i18n_ru.yaml b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/60_Bits_stop_job/i18n/i18n_ru.yaml new file mode 100644 index 00000000..896a0082 --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/60_Bits_stop_job/i18n/i18n_ru.yaml @@ -0,0 +1,4 @@ +Description: 'остановлено выполнение задачи bitsadmin' +EventDescriptions: + - LocalizationId: '60_Bits_stop_job_1' + EventDescription: 'На хосте {event_src.host} остановлено выполнение задачи bitsadmin - {object.name}' diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/60_Bits_stop_job/metainfo.yaml b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/60_Bits_stop_job/metainfo.yaml new file mode 100644 index 00000000..6fc3d229 --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/60_Bits_stop_job/metainfo.yaml @@ -0,0 +1,7 @@ +EventDescriptions: + - Criteria: id = "PT_Microsoft_Windows_eventlog_60_Bits_stop_job" + LocalizationId: 60_Bits_stop_job_1 +ObjectId: SEC-NF-936295479 +ExpertContext: + Created: 09.07.2024 + Updated: 09.07.2024 diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/60_Bits_stop_job/tests/norm_1.js b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/60_Bits_stop_job/tests/norm_1.js new file mode 100644 index 00000000..63369ef5 --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/60_Bits_stop_job/tests/norm_1.js @@ -0,0 +1,20 @@ +{ + "action": "stop", + "count.bytes_in": 1304160, + "dst.fqdn": "r5---sn-5hnedn7l.gvt1.com", + "event_src.category": "Operating system", + "event_src.hostname": "msedgewin10", + "event_src.id": "Microsoft-Windows-Bits-Client", + "event_src.subsys": "Microsoft-Windows-Bits-Client/Operational", + "event_src.title": "windows", + "event_src.vendor": "microsoft", + "id": "PT_Microsoft_Windows_eventlog_60_Bits_stop_job", + "msgid": "60", + "object": "task", + "object.id": "3774C88F-94AD-4FC0-A559-EA76B5D829D6", + "object.name": "C:\\Users\\IEUser\\AppData\\Local\\Temp\\{259DDBBE-DDD3-4590-8A2C-60211631093C}-GoogleUpdateSetup.exe", + "object.path": "http://r5---sn-5hnedn7l.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe?cms_redirect=yes&mh=pH&mip=213.127.64.248&mm=28&mn=sn-5hnedn7l&ms=nvh&mt=1615834104&mv=m&mvi=5&pl=17&shardbypass=yes", + "object.value": "1304160", + "status": "success", + "time": "2021-03-15T18:55:51.603Z" +} \ No newline at end of file diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/60_Bits_stop_job/tests/raw_1.txt b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/60_Bits_stop_job/tests/raw_1.txt new file mode 100644 index 00000000..5bc25d33 --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Bits_Client/60_Bits_stop_job/tests/raw_1.txt @@ -0,0 +1 @@ +{"Event":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event","System":{"Provider":{"Name":"Microsoft-Windows-Bits-Client","Guid":"EF1CC15B-46C1-414E-BB95-E76B077BD51E"},"EventID":"60","Version":"1","Level":"4","Task":"0","Opcode":"2","Keywords":"0x4000000000000000","TimeCreated":{"SystemTime":"2021-03-15T18:55:51.603329Z"},"EventRecordID":"9405","Correlation":{"ActivityID":"6125DC77-C387-4662-BB2F-F3816D1B4629"},"Execution":{"ProcessID":"8100","ThreadID":"5972"},"Channel":"Microsoft-Windows-Bits-Client/Operational","Computer":"MSEDGEWIN10","Security":{"UserID":"S-1-5-18"}},"EventData":{"Data":[{"Name":"transferId","text":"6125DC77-C387-4662-BB2F-F3816D1B4629"},{"Name":"name","text":"C:\\Users\\IEUser\\AppData\\Local\\Temp\\{259DDBBE-DDD3-4590-8A2C-60211631093C}-GoogleUpdateSetup.exe"},{"Name":"Id","text":"3774C88F-94AD-4FC0-A559-EA76B5D829D6"},{"Name":"url","text":"http://r5---sn-5hnedn7l.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe?cms_redirect=yes&mh=pH&mip=213.127.64.248&mm=28&mn=sn-5hnedn7l&ms=nvh&mt=1615834104&mv=m&mvi=5&pl=17&shardbypass=yes"},{"Name":"peer"},{"Name":"hr","text":"0"},{"Name":"fileTime","text":"2021-01-22T06:31:14.000000Z"},{"Name":"fileLength","text":"1304160"},{"Name":"bytesTotal","text":"1304160"},{"Name":"bytesTransferred","text":"1304160"},{"Name":"proxy"},{"Name":"peerProtocolFlags","text":"0"},{"Name":"bytesTransferredFromPeer","text":"0"},{"Name":"AdditionalInfoHr","text":"0"},{"Name":"PeerContextInfo","text":"0"},{"Name":"bandwidthLimit","text":"18446744073709551615"},{"Name":"ignoreBandwidthLimitsOnLan","text":"false"}]}}} \ No newline at end of file diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Windows_Defender/1116_MalwareProtection_State_Malware_Detected/formula.xp b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Windows_Defender/1116_MalwareProtection_State_Malware_Detected/formula.xp new file mode 100644 index 00000000..12d671c9 --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Windows_Defender/1116_MalwareProtection_State_Malware_Detected/formula.xp @@ -0,0 +1,36 @@ +EVENTLOG = 'EventID="1116"' +COND = lower($Channel)=="microsoft-windows-windows defender/operational" and $Provider["Name"]=="Microsoft-Windows-Windows Defender" + +msgid = $EventID + +action = "alert" +object = "malware" +status = "success" + +object.id = $Data["Threat ID"] +object.name = $Data["Threat Name"] +object.path = $Data["Path"] +object.account.name = $Data["Detection User"] +object.type = $Data["Category Name"] + +datafield1 = $Data["Security intelligence Version"] +datafield2 = $Data["Engine Version"] + +importance = "info" + +event_src.vendor = "microsoft" +event_src.title = "windows" +event_src.subsys = $Channel + +if find_substr($Computer, '.') != null then + event_src.fqdn = lower($Computer) + event_src.hostname = lower(substr($Computer, 0, find_substr($Computer, '.'))) +else + event_src.hostname = lower($Computer) +endif + +event_src.category = "Anti-virus" +time = $Data["Detection Time"] + + +id = "1116_MalwareProtection_State_Malware_Detected" \ No newline at end of file diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Windows_Defender/1116_MalwareProtection_State_Malware_Detected/i18n/i18n_en.yaml b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Windows_Defender/1116_MalwareProtection_State_Malware_Detected/i18n/i18n_en.yaml new file mode 100644 index 00000000..4d3cb144 --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Windows_Defender/1116_MalwareProtection_State_Malware_Detected/i18n/i18n_en.yaml @@ -0,0 +1,4 @@ +Description: 'Windows Defender Detection' +EventDescriptions: + - LocalizationId: '1116_MalwareProtection_State_Malware_Detected_1' + EventDescription: 'On the {event_src.host} host, Windows Defender detected {object.name}' diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Windows_Defender/1116_MalwareProtection_State_Malware_Detected/i18n/i18n_ru.yaml b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Windows_Defender/1116_MalwareProtection_State_Malware_Detected/i18n/i18n_ru.yaml new file mode 100644 index 00000000..a77beb5f --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Windows_Defender/1116_MalwareProtection_State_Malware_Detected/i18n/i18n_ru.yaml @@ -0,0 +1,4 @@ +Description: 'Обнаружение Windows Defender' +EventDescriptions: + - LocalizationId: '1116_MalwareProtection_State_Malware_Detected_1' + EventDescription: 'На хосте {event_src.host} Windows Defender обнаружил {object.name}' diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Windows_Defender/1116_MalwareProtection_State_Malware_Detected/metainfo.yaml b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Windows_Defender/1116_MalwareProtection_State_Malware_Detected/metainfo.yaml new file mode 100644 index 00000000..27fcba5c --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Windows_Defender/1116_MalwareProtection_State_Malware_Detected/metainfo.yaml @@ -0,0 +1,7 @@ +EventDescriptions: + - Criteria: id = "1116_MalwareProtection_State_Malware_Detected" + LocalizationId: 1116_MalwareProtection_State_Malware_Detected_1 +ObjectId: SEC-NF-191670236 +ExpertContext: + Created: 14.08.2024 + Updated: 14.08.2024 diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Windows_Defender/1116_MalwareProtection_State_Malware_Detected/tests/norm_1.js b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Windows_Defender/1116_MalwareProtection_State_Malware_Detected/tests/norm_1.js new file mode 100644 index 00000000..295ec652 --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Windows_Defender/1116_MalwareProtection_State_Malware_Detected/tests/norm_1.js @@ -0,0 +1,23 @@ +{ + "action": "alert", + "datafield1": "AV: 1.415.475.0, AS: 1.415.475.0, NIS: 1.415.475.0", + "datafield2": "AM: 1.1.24060.5, NIS: 1.1.24060.5", + "event_src.category": "Anti-virus", + "event_src.fqdn": "desktop-u2fh49e", + "event_src.host": "desktop-u2fh49e", + "event_src.hostname": "desktop-u2fh49e", + "event_src.subsys": "Microsoft-Windows-Windows Defender/Operational", + "event_src.title": "windows", + "event_src.vendor": "microsoft", + "id": "1116_MalwareProtection_State_Malware_Detected", + "importance": "info", + "msgid": "1116", + "object": "malware", + "object.account.name": "NT AUTHORITY\\СИСТЕМА", + "object.id": "2147729613", + "object.name": "Trojan:Win32/BITSAbuse.AS", + "object.path": "CmdLine:_C:\\Windows\\System32\\bitsadmin.exe /addfile 1 c:\\windows\\system32\\cmd.exe c:\\users\\qwer\\1.exe", + "object.type": "Троян", + "status": "success", + "time": "2024-08-08T20:27:23.732Z" +} \ No newline at end of file diff --git a/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Windows_Defender/1116_MalwareProtection_State_Malware_Detected/tests/raw_1.txt b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Windows_Defender/1116_MalwareProtection_State_Malware_Detected/tests/raw_1.txt new file mode 100644 index 00000000..2cbd8b63 --- /dev/null +++ b/packages/system/normalization_formulas/Microsoft/Windows/eventlog/Common/Windows_Defender/1116_MalwareProtection_State_Malware_Detected/tests/raw_1.txt @@ -0,0 +1 @@ +{"Event":{"xmlns":"http://schemas.microsoft.com/win/2004/08/events/event","System":{"Provider":{"Name":"Microsoft-Windows-Windows Defender","Guid":"11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78"},"EventID":"1116","Version":"0","Level":"3","Task":"0","Opcode":"0","Keywords":"0x8000000000000000","TimeCreated":{"SystemTime":"2024-08-08T20:27:23.738174Z"},"EventRecordID":"768","Correlation":null,"Execution":{"ProcessID":"3740","ThreadID":"8992"},"Channel":"Microsoft-Windows-Windows Defender/Operational","Computer":"DESKTOP-U2FH49E","Security":{"UserID":"S-1-5-18"}},"EventData":{"Data":[{"Name":"Product Name","text":"Антивирусная программа Microsoft Defender"},{"Name":"Product Version","text":"4.18.24060.7"},{"Name":"Detection ID","text":"{8CC642E5-9C54-4245-8DB0-613F1545601C}"},{"Name":"Detection Time","text":"2024-08-08T20:27:23.732Z"},{"Name":"Unused"},{"Name":"Unused2"},{"Name":"Threat ID","text":"2147729613"},{"Name":"Threat Name","text":"Trojan:Win32/BITSAbuse.AS"},{"Name":"Severity ID","text":"5"},{"Name":"Severity Name","text":"Критический"},{"Name":"Category ID","text":"8"},{"Name":"Category Name","text":"Троян"},{"Name":"FWLink","text":"https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/BITSAbuse.AS&threatid=2147729613&enterprise=0"},{"Name":"Status Code","text":"1"},{"Name":"Status Description"},{"Name":"State","text":"1"},{"Name":"Source ID","text":"2"},{"Name":"Source Name","text":"Система"},{"Name":"Process Name","text":"Unknown"},{"Name":"Detection User","text":"NT AUTHORITY\\СИСТЕМА"},{"Name":"Unused3"},{"Name":"Path","text":"CmdLine:_C:\\Windows\\System32\\bitsadmin.exe /addfile 1 c:\\windows\\system32\\cmd.exe c:\\users\\qwer\\1.exe"},{"Name":"Origin ID","text":"0"},{"Name":"Origin Name","text":"Неизвестно"},{"Name":"Execution ID","text":"0"},{"Name":"Execution Name","text":"Неизвестно"},{"Name":"Type ID","text":"0"},{"Name":"Type Name","text":"Конкретный"},{"Name":"Pre Execution Status","text":"0"},{"Name":"Action ID","text":"9"},{"Name":"Action Name","text":"Неприменимо"},{"Name":"Unused4"},{"Name":"Error Code","text":"0x00000000"},{"Name":"Error Description","text":"Операция успешно завершена. "},{"Name":"Unused5"},{"Name":"Post Clean Status","text":"0"},{"Name":"Additional Actions ID","text":"0"},{"Name":"Additional Actions String","text":"No additional actions required"},{"Name":"Remediation User"},{"Name":"Unused6"},{"Name":"Security intelligence Version","text":"AV: 1.415.475.0, AS: 1.415.475.0, NIS: 1.415.475.0"},{"Name":"Engine Version","text":"AM: 1.1.24060.5, NIS: 1.1.24060.5"}]}}} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_and_download/i18n/i18n_en.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_and_download/i18n/i18n_en.yaml new file mode 100644 index 00000000..e7516f85 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_and_download/i18n/i18n_en.yaml @@ -0,0 +1,4 @@ +Description: 'Attackers can use bits tasks to download or run a file' +EventDescriptions: + - LocalizationId: 'corrname_Create_bits_job_and_download' + EventDescription: 'The task has been completed on the {event_src.host} host {object.name} created by the user {object.account.fullname}' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_and_download/i18n/i18n_ru.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_and_download/i18n/i18n_ru.yaml new file mode 100644 index 00000000..fccf0753 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_and_download/i18n/i18n_ru.yaml @@ -0,0 +1,4 @@ +Description: 'Атакующие могут использовать задачи bits для загрузки или запуска файла' +EventDescriptions: + - LocalizationId: 'corrname_Create_bits_job_and_download' + EventDescription: 'На хосте {event_src.host} выполнена задача {object.name}, созданная пользователем {object.account.fullname}' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_and_download/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_and_download/metainfo.yaml new file mode 100644 index 00000000..631ef8dd --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_and_download/metainfo.yaml @@ -0,0 +1,27 @@ +ContentAutoName: bits_openvpn +ExpertContext: + Created: 04.07.2024 + Updated: 21.07.2024 + KnowledgeHolders: + - d3f0x0 (Vadim Varganov) + Usecases: + - Attackers can use bits tasks to download or run a file + Falsepositives: + - Administrative action + References: + - https://learn.microsoft.com/en-us/windows/win32/bits/using-winrm-windows-powershell-cmdlets-to-manage-bits-transfer-jobs + - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/BITS.htm + Improvements: [] +ObjectId: SEC-CR-118607702 +ContentRelations: + Implements: + ATTACK: + defense-evasion: + - T1197 + persistence: + - T1197 + command-and-control: + - T1197 +EventDescriptions: + - Criteria: correlation_name = "Create_bits_job_and_download" + LocalizationId: corrname_Create_bits_job_and_download diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_and_download/rule.co b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_and_download/rule.co new file mode 100644 index 00000000..7cb28d07 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_and_download/rule.co @@ -0,0 +1,68 @@ +event Bits_create_job: + key: + event_src.host, object.id + filter { + msgid == "3" + and event_src.id == "Microsoft-Windows-Bits-Client" + } + +event Bits_started_download: + key: + event_src.host, object.id + filter { + msgid == "59" + and event_src.id == "Microsoft-Windows-Bits-Client" + } + +event Bits_fininished_job: + key: + event_src.host, object.id + filter { + msgid == "4" + and event_src.id == "Microsoft-Windows-Bits-Client" + } + + +rule Create_bits_job_and_download: (Bits_create_job -> Bits_started_download ->Bits_fininished_job) timer 30m + +on Bits_create_job { + + $object.name = object.name + $object.account.fullname = object.account.fullname + $object.account.name = object.account.name + $object.account.domain = object.account.domain + + $object.process.fullpath = object.process.fullpath + $object.process.name = object.process.name + $object.process.id = object.process.id + $object.id = object.id + $event_src.fqdn = event_src.fqdn + $event_src.hostname = event_src.hostname + $event_src.host = event_src.hostname + + $event_src.vendor = event_src.vendor + $event_src.title = event_src.title + $event_src.subsys = event_src.subsys + $event_src.category = event_src.category + $event_src.id = event_src.id +} + +on Bits_started_download { + $object.name = object.name # Job name + $object.path = object.path + $object.value = object.value + + $dst.fqdn = dst.fqdn +} + +on Bits_fininished_job { + $status = "success" +} + +emit { + $correlation_type = "event" + $importance = "high" + + $action = "start" + $object = "task" +} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_and_download/tests/raw_events_1.json b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_and_download/tests/raw_events_1.json new file mode 100644 index 00000000..818c2612 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_and_download/tests/raw_events_1.json @@ -0,0 +1,6 @@ +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Bits-Client\",\"Guid\":\"{ef1cc15b-46c1-414e-bb95-e76b077bd51e}\"},\"EventID\":\"60\",\"Version\":\"1\",\"Level\":\"4\",\"Task\":\"0\",\"Opcode\":\"2\",\"Keywords\":\"0x4000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2021-03-15 18:53:54.317511\"},\"EventRecordID\":\"9397\",\"Correlation\":{\"ActivityID\":\"{3890f7bf-e4a4-48e5-b550-5ed41936d17f}\"},\"Execution\":{\"ProcessID\":\"8100\",\"ThreadID\":\"5972\"},\"Channel\":\"Microsoft-Windows-Bits-Client/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"transferId\",\"text\":\"{3890f7bf-e4a4-48e5-b550-5ed41936d17f}\"},{\"Name\":\"name\",\"text\":\"Push Notification Platform Job: 1\"},{\"Name\":\"Id\",\"text\":\"{3867d376-2568-4730-90e4-d460ff9d4dc9}\"},{\"Name\":\"url\",\"text\":\"https://site-cdn.onenote.net/161390740451_Images/LiveTileImages/MediumAndLarge/Image2.png\"},{\"Name\":\"peer\"},{\"Name\":\"hr\",\"text\":\"0\"},{\"Name\":\"fileTime\",\"text\":\"2021-03-08 00:10:28\"},{\"Name\":\"fileLength\",\"text\":\"30038\"},{\"Name\":\"bytesTotal\",\"text\":\"30038\"},{\"Name\":\"bytesTransferred\",\"text\":\"30038\"},{\"Name\":\"proxy\"},{\"Name\":\"peerProtocolFlags\",\"text\":\"0\"},{\"Name\":\"bytesTransferredFromPeer\",\"text\":\"0\"},{\"Name\":\"AdditionalInfoHr\",\"text\":\"0\"},{\"Name\":\"PeerContextInfo\",\"text\":\"0\"},{\"Name\":\"bandwidthLimit\",\"text\":\"18446744073709551615\"},{\"Name\":\"ignoreBandwidthLimitsOnLan\",\"text\":\"False\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2024-07-04T08:22:05.637Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"1c552bbc-1276-4a8a-bd36-93a55cb936dc"} +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Bits-Client\",\"Guid\":\"{ef1cc15b-46c1-414e-bb95-e76b077bd51e}\"},\"EventID\":\"4\",\"Version\":\"1\",\"Level\":\"4\",\"Task\":\"0\",\"Opcode\":\"0\",\"Keywords\":\"0x4000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2021-03-15 18:53:54.320107\"},\"EventRecordID\":\"9398\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"8100\",\"ThreadID\":\"5972\"},\"Channel\":\"Microsoft-Windows-Bits-Client/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"jobTitle\",\"text\":\"Push Notification Platform Job: 1\"},{\"Name\":\"jobId\",\"text\":\"{3867d376-2568-4730-90e4-d460ff9d4dc9}\"},{\"Name\":\"jobOwner\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"fileCount\",\"text\":\"1\"},{\"Name\":\"bytesTransferred\",\"text\":\"30038\"},{\"Name\":\"bytesTransferredFromPeer\",\"text\":\"0\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2024-07-04T08:22:05.637Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"2c1eedc7-54b9-4dc8-9ac1-0908f9eea2a4"} +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Bits-Client\",\"Guid\":\"{ef1cc15b-46c1-414e-bb95-e76b077bd51e}\"},\"EventID\":\"3\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"0\",\"Opcode\":\"0\",\"Keywords\":\"0x4000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2021-03-15 18:54:14.168472\"},\"EventRecordID\":\"9399\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"8100\",\"ThreadID\":\"8184\"},\"Channel\":\"Microsoft-Windows-Bits-Client/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"jobTitle\",\"text\":\"efc1a28b.png\"},{\"Name\":\"jobId\",\"text\":\"{2655ebaf-2c16-4e2d-90e3-99c5249cc4f3}\"},{\"Name\":\"jobOwner\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"processPath\",\"text\":\"C:\\\\Windows\\\\SysWOW64\\\\notepad.exe\"},{\"Name\":\"processId\",\"text\":\"4016\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2024-07-04T08:22:05.637Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"53424746-3d92-4b7a-b4fe-2113f86408bd"} +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Bits-Client\",\"Guid\":\"{ef1cc15b-46c1-414e-bb95-e76b077bd51e}\"},\"EventID\":\"59\",\"Version\":\"1\",\"Level\":\"4\",\"Task\":\"0\",\"Opcode\":\"1\",\"Keywords\":\"0x4000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2021-03-15 18:54:15.647333\"},\"EventRecordID\":\"9400\",\"Correlation\":{\"ActivityID\":\"{914d3c21-a45e-43d5-bcff-9e53b581ce2d}\"},\"Execution\":{\"ProcessID\":\"8100\",\"ThreadID\":\"5432\"},\"Channel\":\"Microsoft-Windows-Bits-Client/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"transferId\",\"text\":\"{914d3c21-a45e-43d5-bcff-9e53b581ce2d}\"},{\"Name\":\"name\",\"text\":\"efc1a28b.png\"},{\"Name\":\"Id\",\"text\":\"{2655ebaf-2c16-4e2d-90e3-99c5249cc4f3}\"},{\"Name\":\"url\",\"text\":\"https://i.imgur.com/IFpvPlt.png\"},{\"Name\":\"peer\"},{\"Name\":\"fileTime\",\"text\":\"2021-02-24 21:52:17\"},{\"Name\":\"fileLength\",\"text\":\"394556\"},{\"Name\":\"bytesTotal\",\"text\":\"394556\"},{\"Name\":\"bytesTransferred\",\"text\":\"0\"},{\"Name\":\"bytesTransferredFromPeer\",\"text\":\"0\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2024-07-04T08:22:05.637Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"c17d1351-5783-4a2d-b76b-f9ac39aa5bc4"} +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Bits-Client\",\"Guid\":\"{ef1cc15b-46c1-414e-bb95-e76b077bd51e}\"},\"EventID\":\"60\",\"Version\":\"1\",\"Level\":\"4\",\"Task\":\"0\",\"Opcode\":\"2\",\"Keywords\":\"0x4000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2021-03-15 18:54:50.487825\"},\"EventRecordID\":\"9401\",\"Correlation\":{\"ActivityID\":\"{914d3c21-a45e-43d5-bcff-9e53b581ce2d}\"},\"Execution\":{\"ProcessID\":\"8100\",\"ThreadID\":\"8184\"},\"Channel\":\"Microsoft-Windows-Bits-Client/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"transferId\",\"text\":\"{914d3c21-a45e-43d5-bcff-9e53b581ce2d}\"},{\"Name\":\"name\",\"text\":\"efc1a28b.png\"},{\"Name\":\"Id\",\"text\":\"{2655ebaf-2c16-4e2d-90e3-99c5249cc4f3}\"},{\"Name\":\"url\",\"text\":\"https://i.imgur.com/IFpvPlt.png\"},{\"Name\":\"peer\"},{\"Name\":\"hr\",\"text\":\"0\"},{\"Name\":\"fileTime\",\"text\":\"2021-02-24 21:52:17\"},{\"Name\":\"fileLength\",\"text\":\"394556\"},{\"Name\":\"bytesTotal\",\"text\":\"394556\"},{\"Name\":\"bytesTransferred\",\"text\":\"394556\"},{\"Name\":\"proxy\"},{\"Name\":\"peerProtocolFlags\",\"text\":\"0\"},{\"Name\":\"bytesTransferredFromPeer\",\"text\":\"0\"},{\"Name\":\"AdditionalInfoHr\",\"text\":\"0\"},{\"Name\":\"PeerContextInfo\",\"text\":\"0\"},{\"Name\":\"bandwidthLimit\",\"text\":\"18446744073709551615\"},{\"Name\":\"ignoreBandwidthLimitsOnLan\",\"text\":\"False\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2024-07-04T08:22:05.637Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"2758b8c0-d0eb-43a3-a233-032900d590a8"} +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Bits-Client\",\"Guid\":\"{ef1cc15b-46c1-414e-bb95-e76b077bd51e}\"},\"EventID\":\"4\",\"Version\":\"1\",\"Level\":\"4\",\"Task\":\"0\",\"Opcode\":\"0\",\"Keywords\":\"0x4000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2021-03-15 18:54:51.653753\"},\"EventRecordID\":\"9402\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"8100\",\"ThreadID\":\"8184\"},\"Channel\":\"Microsoft-Windows-Bits-Client/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"jobTitle\",\"text\":\"efc1a28b.png\"},{\"Name\":\"jobId\",\"text\":\"{2655ebaf-2c16-4e2d-90e3-99c5249cc4f3}\"},{\"Name\":\"jobOwner\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"fileCount\",\"text\":\"1\"},{\"Name\":\"bytesTransferred\",\"text\":\"394556\"},{\"Name\":\"bytesTransferredFromPeer\",\"text\":\"0\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2024-07-04T08:22:05.637Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"3cd0e43b-dfdb-40f7-8ce1-994403585b93"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_and_download/tests/test_conds_1.tc b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_and_download/tests/test_conds_1.tc new file mode 100644 index 00000000..26b9c794 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_and_download/tests/test_conds_1.tc @@ -0,0 +1 @@ +expect 1 {"action":"start","correlation_name":"Create_bits_job_and_download","correlation_type":"event","dst.fqdn":"i.imgur.com","event_src.category":"Operating system","event_src.fqdn":"msedgewin10","event_src.host":"msedgewin10","event_src.hostname":"msedgewin10","event_src.id":"Microsoft-Windows-Bits-Client","event_src.subsys":"Microsoft-Windows-Bits-Client/Operational","event_src.title":"windows","event_src.vendor":"microsoft","importance":"high","object":"task","object.name":"efc1a28b.png","object.path":"https://i.imgur.com/IFpvPlt.png","object.process.fullpath":"C:\\Windows\\SysWOW64\\notepad.exe","object.process.id":"4016","object.process.name":"notepad.exe","object.value":"394556","status":"success"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/i18n/i18n_en.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/i18n/i18n_en.yaml new file mode 100644 index 00000000..51776c14 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/i18n/i18n_en.yaml @@ -0,0 +1,4 @@ +Description: 'The rule detects interaction with BITS based on command line arguments and powershell cmdlets' +EventDescriptions: + - LocalizationId: 'corrname_Create_bits_job_cmdline' + EventDescription: 'Execution of {object.process.cmdline} commands for manipulating BITS tasks was detected on the {event_src.host} host' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/i18n/i18n_ru.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/i18n/i18n_ru.yaml new file mode 100644 index 00000000..983f7272 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/i18n/i18n_ru.yaml @@ -0,0 +1,4 @@ +Description: 'Правило обнаруживает взаимодействие с BITS на основе аргументов командной строки и командлетов powershell' +EventDescriptions: + - LocalizationId: 'corrname_Create_bits_job_cmdline' + EventDescription: 'На хосте {event_src.host} обнаружено выполнение команд {object.process.cmdline} для манипулирования задачами BITS' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/metainfo.yaml new file mode 100644 index 00000000..d8bdc8cf --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/metainfo.yaml @@ -0,0 +1,42 @@ +ContentAutoName: Create_bits_job_cmdline +ExpertContext: + Created: 09.07.2024 + Updated: 15.08.2024 + KnowledgeHolders: + - d3f0x0 (Vadim Varganov) + Usecases: + - Attacker create BITS for download or upload file, C2 + Falsepositives: + - Administrative action + References: + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/main/TTPs/Defense%20Evasion/T1197%20-%20BITS%20Jobs/Procedures.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md + - https://learn.microsoft.com/ru-ru/windows/win32/bits/background-intelligent-transfer-service-portal + - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/BITS.htm + Improvements: [] + DataSources: + - Provider: Microsoft-Windows-Security-Auditing + EventID: + - 4688 + - Provider: Microsoft-Windows-Sysmon + EventID: + - 1 + - Provider: Microsoft-Windows-PowerShell + EventID: + - 4103 + - 4104 +ObjectId: SEC-CR-132540762 +ContentRelations: + Implements: + ATTACK: + persistence: + - T1197 + defense-evasion: + - T1197 + command-and-control: + - T1105 + exfiltration: + - T1048 +EventDescriptions: + - Criteria: correlation_name = "Create_bits_job_cmdline" + LocalizationId: corrname_Create_bits_job_cmdline diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/rule.co b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/rule.co new file mode 100644 index 00000000..8191975d --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/rule.co @@ -0,0 +1,233 @@ +event Process_Start: + key: + event_src.host + filter { + filter::NotFromCorrelator() + and ( + filter::ProcessStart_Windows_commandline("bitsadmin.exe", ".*transfer.*|.*create.*|.*addfile.*|.*setnotifyflags.*|.*setnotifycmdline.*|.*setminretrydelay.*|.*setcustomheaders.*|.*resume.*") + or + filter::ProcessStart_Windows_commandline("powershell.exe", ".*start-bitstransfer.*|.*add-bitsfile.*|.*resume-bitstransfer.*|.*set-bitstransfer.*|.*bits.manager.*") + or + filter::ProcessStart_Windows_commandline("powershell_ise.exe", ".*start-bitstransfer.*|.*add-bitsfile.*|.*resume-bitstransfer.*|.*set-bitstransfer.*|.*bits.manager.*") + ) + } + + +event Powershell_Pipeline_Execute: + key: + event_src.host + filter { + filter::NotFromCorrelator() + and msgid == "4104" + and action == "execute" + and event_src.title == "windows" + and object == "command" + and event_src.subsys == "Microsoft-Windows-PowerShell/Operational" + and ( + match(lower(object.process.cmdline),"*start-bitstransfer*") + or + match(lower(object.process.cmdline),"*add-bitsfile*") + or + match(lower(object.process.cmdline),"resume-bitstransfer") + or + match(lower(object.process.cmdline),"*set-bitstransfer*") + or + match(lower(object.process.cmdline),"*bits.manager*") + # Командлеты Powershell для WinRM + or match(lower(object.process.cmdline),"*wmi/root/microsoft/bits/bitsclientjob*") + # Командлеты WMI https://learn.microsoft.com/ru-ru/windows/win32/bits/bits-compact-server + or match(lower(object.process.cmdline),"*root\\microsoft\\bits*") + or match(lower(object.process.cmdline),"*bitscompactserverurlgroup*") + ) + } + +event Powershell_Command_Execute: + key: + event_src.host + filter { + filter::NotFromCorrelator() + and msgid == "4103" + and action == "execute" + and event_src.title == "windows" + and object == "command" + and event_src.subsys == "Microsoft-Windows-PowerShell/Operational" + and ( + match(lower(object.process.cmdline),"*start-bitstransfer*") + or + match(lower(object.process.cmdline),"*add-bitsfile*") + or + match(lower(object.process.cmdline),"resume-bitstransfer") + or + match(lower(object.process.cmdline),"*set-bitstransfer*") + or + match(lower(object.process.cmdline),"*bits.manager*") + # Командлеты Powershell для WinRM + or match(lower(object.process.cmdline),"*wmi/root/microsoft/bits/bitsclientjob*") + # Командлеты WMI https://learn.microsoft.com/ru-ru/windows/win32/bits/bits-compact-server + or match(lower(object.process.cmdline),"*root\\microsoft\\bits*") + or match(lower(object.process.cmdline),"*bitscompactserverurlgroup*") + ) + } + +rule Create_bits_job_cmdline: (Process_Start or Powershell_Pipeline_Execute or Powershell_Command_Execute) timer 5m + + on Process_Start { + $action = action # start + $object = object # process + + $subject.account.name = subject.account.name + $subject.account.domain = subject.account.domain + $subject.account.fullname = subject.account.fullname + $subject.account.session_id = subject.account.session_id + $subject.account.id = subject.account.id + $subject.account.privileges = subject.account.privileges + + $object.account.session_id = object.account.session_id + $object.account.name = object.account.name + $object.account.domain = object.account.domain + $object.account.fullname = object.account.fullname + $object.account.id = object.account.id + + $object.process.id = object.process.id + $object.process.name = object.process.name + $object.process.path = object.process.path + $object.process.fullpath = object.process.fullpath + $object.process.hash = object.process.hash + $object.process.hash.md5 = object.process.hash.md5 + $object.process.hash.sha1 = object.process.hash.sha1 + $object.process.hash.sha256 = object.process.hash.sha256 + $object.process.version = object.process.version + $object.process.cmdline = object.process.cmdline + $object.process.guid = object.process.guid + $object.process.meta = object.process.meta + $object.process.original_name = object.process.original_name + $object.process.cwd = object.process.cwd + $object.process.chain = object.process.chain + + $object.process.parent.id = object.process.parent.id + $object.process.parent.name = object.process.parent.name + $object.process.parent.path = object.process.parent.path + $object.process.parent.fullpath = object.process.parent.fullpath + $object.process.parent.guid = object.process.parent.guid + $object.process.parent.cmdline = object.process.parent.cmdline + + $datafield6 = datafield6 # Идентификатор сессии в формате UUID + + $datafield18 = datafield18 # Цепочка процесса-субъекта с идентификаторами + $datafield19 = datafield19 # Цепочка процесса-объекта с идентификаторами + + $event_src.ip = event_src.ip + $event_src.hostname = event_src.hostname + $event_src.fqdn = event_src.fqdn + $event_src.host = event_src.host + $event_src.asset = event_src.asset + $event_src.vendor = event_src.vendor + $event_src.title = event_src.title + $event_src.subsys = event_src.subsys + $event_src.rule = event_src.rule + + } + + on Powershell_Pipeline_Execute { + $action = action # execute + $object = object # command + + $subject.account.name = subject.account.name + $subject.account.domain = subject.account.domain + $subject.account.fullname = subject.account.fullname + $subject.account.id = subject.account.id + + $object.account.name = object.account.name + $object.account.domain = object.account.domain + $object.account.fullname = object.account.fullname + $object.account.id = object.account.id + + $object.process.cmdline = object.process.cmdline + $object.process.name = object.process.name + + $object.process.parent.path = object.process.parent.path + $object.process.parent.name = object.process.parent.name + $object.process.parent.fullpath = object.process.parent.fullpath + $object.process.parent.guid = object.process.parent.guid + $object.process.parent.id = object.process.parent.id + $object.process.parent.cmdline = object.process.parent.cmdline + + $object.name = object.name + $object.path = object.path + $object.fullpath = object.fullpath + $object.value = object.value + + $datafield8 = datafield8 # версия модуля + $datafield9 = datafield9 # Командлайн без приведения к нижнему регистру + + $chain_id = chain_id + + $event_src.host = event_src.host + $event_src.fqdn = event_src.fqdn + $event_src.hostname = event_src.hostname + $event_src.ip = event_src.ip + $event_src.asset = event_src.asset + $event_src.vendor = event_src.vendor + $event_src.title = event_src.title + $event_src.subsys = event_src.subsys + $event_src.category = event_src.category + $event_src.rule = event_src.rule + + } + + on Powershell_Command_Execute { + $action = action # execute + $object = object # command + + $subject.account.name = subject.account.name + $subject.account.domain = subject.account.domain + $subject.account.fullname = subject.account.fullname + $subject.account.id = subject.account.id + + $object.account.name = object.account.name + $object.account.domain = object.account.domain + $object.account.fullname = object.account.fullname + $object.account.id = object.account.id + + $object.process.cmdline = object.process.cmdline + $object.process.id = object.process.id + + $object.id = object.id + $object.name = object.name + $object.path = object.path + $object.fullpath = object.fullpath + $object.value = object.value + + $event_src.host = event_src.host + $event_src.fqdn = event_src.fqdn + $event_src.hostname = event_src.hostname + $event_src.ip = event_src.ip + $event_src.asset = event_src.asset + $event_src.vendor = event_src.vendor + $event_src.title = event_src.title + $event_src.subsys = event_src.subsys + $event_src.category = event_src.category + $event_src.rule = event_src.rule + + } + + +emit { + $correlation_type = "incident" + $importance = "medium" + + $action = "alert" + $object = "malware" + $status = "success" + + $category.generic = "Attack" + $category.high = "Command and Control" + $category.low = "Ingress Tool Transfer" + + $incident.severity = "medium" + $incident.category = "Undefined" + + $incident.aggregation.key = join([$correlation_name, $event_src.hostname, $object.process.cmdline], "|") + $incident.severity = $importance + $incident.aggregation.timeout = 2h +} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/tests/raw_events_1.json b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/tests/raw_events_1.json new file mode 100644 index 00000000..81fcf0e3 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/tests/raw_events_1.json @@ -0,0 +1 @@ +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"2\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2024-08-15T20:27:54.9443499Z\"},\"EventRecordID\":\"86310\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"9828\"},\"Channel\":\"Security\",\"Computer\":\"DESKTOP-U2FH49E\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-2461812536-2730023992-3484359750-1001\"},{\"Name\":\"SubjectUserName\",\"text\":\"qwer\"},{\"Name\":\"SubjectDomainName\",\"text\":\"DESKTOP-U2FH49E\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0xc035b\"},{\"Name\":\"NewProcessId\",\"text\":\"0x1130\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\bitsadmin.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x9c0\"},{\"Name\":\"CommandLine\",\"text\":\"bitsadmin /create 1\"},{\"Name\":\"TargetUserSid\",\"text\":\"S-1-0-0\"},{\"Name\":\"TargetUserName\",\"text\":\"-\"},{\"Name\":\"TargetDomainName\",\"text\":\"-\"},{\"Name\":\"TargetLogonId\",\"text\":\"0x0\"},{\"Name\":\"ParentProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"MandatoryLabel\",\"text\":\"S-1-16-8192\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2024-08-15T20:28:15.557Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"942eb00c-1194-495e-b207-3bd4f0e7aac6"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/tests/raw_events_2.json b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/tests/raw_events_2.json new file mode 100644 index 00000000..d743d9e5 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/tests/raw_events_2.json @@ -0,0 +1 @@ +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-PowerShell\",\"Guid\":\"{a0c1853b-5c40-4b15-8766-3cf1c58f985a}\"},\"EventID\":\"4103\",\"Version\":\"1\",\"Level\":\"4\",\"Task\":\"106\",\"Opcode\":\"20\",\"Keywords\":\"0x0\",\"TimeCreated\":{\"SystemTime\":\"2024-08-15T20:33:41.0102391Z\"},\"EventRecordID\":\"10317\",\"Correlation\":{\"ActivityID\":\"{db680879-ee36-0003-ee47-68db36eeda01}\"},\"Execution\":{\"ProcessID\":\"1588\",\"ThreadID\":\"7028\"},\"Channel\":\"Microsoft-Windows-PowerShell/Operational\",\"Computer\":\"DESKTOP-U2FH49E\",\"Security\":{\"UserID\":\"S-1-5-21-2461812536-2730023992-3484359750-1001\"}},\"EventData\":{\"Data\":[{\"Name\":\"ContextInfo\",\"text\":\"Важность = Informational Имя узла = ConsoleHost Версия узла = 5.1.19041.4780 ИД узла = 2db364a6-ee3a-4469-a644-7ba8b5beca02 Ведущее приложение = C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe Версия модуля = 5.1.19041.4780 ИД пространства выполнения = bec55a31-0a4b-48f7-bbfc-569a6e164990 ИД конвейера = 27 Имя команды = Start-BitsTransfer Тип команды = Cmdlet Имя сценария = Путь команды = Порядковый номер = 42 Пользователь = DESKTOP-U2FH49E\\\\qwer Подключенный пользователь = ИД оболочки = Microsoft.PowerShell\"},{\"Name\":\"UserData\"},{\"Name\":\"Payload\",\"text\":\"CommandInvocation(Start-BitsTransfer): \\\"Start-BitsTransfer\\\" ParameterBinding(Start-BitsTransfer): имя=\\\"Source\\\"; значение=\\\"c:\\\\windows\\\\system32\\\\cmd.exe\\\"\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2024-08-15T20:34:24.227Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"4926b3ec-2372-4d6f-a814-62952a27bfb2"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/tests/raw_events_3.json b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/tests/raw_events_3.json new file mode 100644 index 00000000..2cab21fd --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/tests/raw_events_3.json @@ -0,0 +1 @@ +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-PowerShell\",\"Guid\":\"{a0c1853b-5c40-4b15-8766-3cf1c58f985a}\"},\"EventID\":\"4104\",\"Version\":\"1\",\"Level\":\"5\",\"Task\":\"2\",\"Opcode\":\"15\",\"Keywords\":\"0x0\",\"TimeCreated\":{\"SystemTime\":\"2024-08-15T20:33:29.6999786Z\"},\"EventRecordID\":\"10315\",\"Correlation\":{\"ActivityID\":\"{db680879-ee36-0003-ed47-68db36eeda01}\"},\"Execution\":{\"ProcessID\":\"1588\",\"ThreadID\":\"7028\"},\"Channel\":\"Microsoft-Windows-PowerShell/Operational\",\"Computer\":\"DESKTOP-U2FH49E\",\"Security\":{\"UserID\":\"S-1-5-21-2461812536-2730023992-3484359750-1001\"}},\"EventData\":{\"Data\":[{\"Name\":\"MessageNumber\",\"text\":\"1\"},{\"Name\":\"MessageTotal\",\"text\":\"1\"},{\"Name\":\"ScriptBlockText\",\"text\":\"Start-BitsTransfer\"},{\"Name\":\"ScriptBlockId\",\"text\":\"589e3314-eb33-4b5a-bd5d-1caecf9dfed0\"},{\"Name\":\"Path\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2024-08-15T20:35:39.251Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"fb4781e8-78a6-4afb-8ad1-0c14bf71f557"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/tests/raw_events_4.json b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/tests/raw_events_4.json new file mode 100644 index 00000000..9e1d3395 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/tests/raw_events_4.json @@ -0,0 +1 @@ +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\"},\"EventID\":\"4688\",\"Version\":\"2\",\"Level\":\"0\",\"Task\":\"13312\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2024-08-15T20:37:18.3661242Z\"},\"EventRecordID\":\"86404\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"8400\"},\"Channel\":\"Security\",\"Computer\":\"DESKTOP-U2FH49E\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-21-2461812536-2730023992-3484359750-1001\"},{\"Name\":\"SubjectUserName\",\"text\":\"qwer\"},{\"Name\":\"SubjectDomainName\",\"text\":\"DESKTOP-U2FH49E\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0xc035b\"},{\"Name\":\"NewProcessId\",\"text\":\"0x1414\"},{\"Name\":\"NewProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\"},{\"Name\":\"TokenElevationType\",\"text\":\"%%1938\"},{\"Name\":\"ProcessId\",\"text\":\"0x27b0\"},{\"Name\":\"CommandLine\",\"text\":\"powershell Start-BitsTransfer c:\\\\windows\"},{\"Name\":\"TargetUserSid\",\"text\":\"S-1-0-0\"},{\"Name\":\"TargetUserName\",\"text\":\"-\"},{\"Name\":\"TargetDomainName\",\"text\":\"-\"},{\"Name\":\"TargetLogonId\",\"text\":\"0x0\"},{\"Name\":\"ParentProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"MandatoryLabel\",\"text\":\"S-1-16-8192\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2024-08-15T20:37:59.175Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"3d359f6a-3ba1-4bdd-b83b-884f8ba8748b"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/tests/test_conds_1.tc b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/tests/test_conds_1.tc new file mode 100644 index 00000000..7f9419c3 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/tests/test_conds_1.tc @@ -0,0 +1,2 @@ +# 4688 +expect 1 {"action":"alert","category.generic":"Attack","category.high":"Command and Control","category.low":"Ingress Tool Transfer","correlation_name":"Create_bits_job_cmdline","correlation_type":"incident","count":1,"event_src.fqdn":"desktop-u2fh49e","event_src.host":"desktop-u2fh49e","event_src.hostname":"desktop-u2fh49e","event_src.subsys":"Security","event_src.title":"windows","event_src.vendor":"microsoft","generator.type":"correlationengine","importance":"medium","incident.aggregation.key":"Create_bits_job_cmdline|desktop-u2fh49e|bitsadmin /create 1","incident.aggregation.timeout":7200,"incident.category":"Undefined","incident.severity":"medium","normalized":true,"object":"malware","object.account.domain":"desktop-u2fh49e","object.account.id":"S-1-5-21-2461812536-2730023992-3484359750-1001","object.account.name":"qwer","object.account.session_id":"787291","object.process.cmdline":"bitsadmin /create 1","object.process.fullpath":"c:\\windows\\system32\\bitsadmin.exe","object.process.id":"4400","object.process.name":"bitsadmin.exe","object.process.parent.fullpath":"c:\\windows\\system32\\cmd.exe","object.process.parent.id":"2496","object.process.parent.name":"cmd.exe","object.process.parent.path":"c:\\windows\\system32\\","object.process.path":"c:\\windows\\system32\\","origin_app_id":"00000000-0000-0000-0000-000000000005","primary_siem_app_id":"00000000-0000-0000-0000-000000000005","status":"success","subject.account.domain":"desktop-u2fh49e","subject.account.id":"S-1-5-21-2461812536-2730023992-3484359750-1001","subject.account.name":"qwer","subject.account.privileges":"TokenElevationTypeLimited","subject.account.session_id":"787291"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/tests/test_conds_2.tc b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/tests/test_conds_2.tc new file mode 100644 index 00000000..ac54e40c --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/tests/test_conds_2.tc @@ -0,0 +1,2 @@ +# Powershell 4103 +expect 1 {"action":"alert","category.generic":"Attack","category.high":"Command and Control","category.low":"Ingress Tool Transfer","correlation_name":"Create_bits_job_cmdline","correlation_type":"incident","event_src.category":"Operating system","event_src.fqdn":"desktop-u2fh49e","event_src.host":"desktop-u2fh49e","event_src.hostname":"desktop-u2fh49e","event_src.subsys":"Microsoft-Windows-PowerShell/Operational","event_src.title":"windows","event_src.vendor":"microsoft","importance":"medium","incident.aggregation.key":"Create_bits_job_cmdline|desktop-u2fh49e|\"Start-BitsTransfer\" -Source \"c:\\windows\\system32\\cmd.exe\"","incident.aggregation.timeout":7200,"incident.category":"Undefined","incident.severity":"medium","object":"malware","object.account.id":"S-1-5-21-2461812536-2730023992-3484359750-1001","object.process.cmdline":"\"Start-BitsTransfer\" -Source \"c:\\windows\\system32\\cmd.exe\"","object.value":"CommandInvocation(Start-BitsTransfer): \"Start-BitsTransfer\" ParameterBinding(Start-BitsTransfer): имя=\"Source\"; значение=\"c:\\windows\\system32\\cmd.exe\"","status":"success","subject.account.id":"S-1-5-21-2461812536-2730023992-3484359750-1001"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/tests/test_conds_3.tc b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/tests/test_conds_3.tc new file mode 100644 index 00000000..12180264 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/tests/test_conds_3.tc @@ -0,0 +1,2 @@ +# Powershell 4104 +expect 1 {"action":"alert","category.generic":"Attack","category.high":"Command and Control","category.low":"Ingress Tool Transfer","correlation_name":"Create_bits_job_cmdline","correlation_type":"incident","event_src.category":"Operating system","event_src.fqdn":"desktop-u2fh49e","event_src.host":"desktop-u2fh49e","event_src.hostname":"desktop-u2fh49e","event_src.subsys":"Microsoft-Windows-PowerShell/Operational","event_src.title":"windows","event_src.vendor":"microsoft","importance":"medium","incident.aggregation.key":"Create_bits_job_cmdline|desktop-u2fh49e|Start-BitsTransfer","incident.aggregation.timeout":7200,"incident.category":"Undefined","incident.severity":"medium","object":"malware","object.account.id":"S-1-5-21-2461812536-2730023992-3484359750-1001","object.process.cmdline":"Start-BitsTransfer","object.value":"Start-BitsTransfer","status":"success","subject.account.id":"S-1-5-21-2461812536-2730023992-3484359750-1001"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/tests/test_conds_4.tc b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/tests/test_conds_4.tc new file mode 100644 index 00000000..728401e8 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_cmdline/tests/test_conds_4.tc @@ -0,0 +1,2 @@ +# 4688 powershell.exe +expect 1 {"action":"alert","category.generic":"Attack","category.high":"Command and Control","category.low":"Ingress Tool Transfer","correlation_name":"Create_bits_job_cmdline","correlation_type":"incident","event_src.fqdn":"desktop-u2fh49e","event_src.host":"desktop-u2fh49e","event_src.hostname":"desktop-u2fh49e","event_src.subsys":"Security","event_src.title":"windows","event_src.vendor":"microsoft","importance":"medium","incident.aggregation.key":"Create_bits_job_cmdline|desktop-u2fh49e|powershell Start-BitsTransfer c:\\windows","incident.aggregation.timeout":7200,"incident.category":"Undefined","incident.severity":"medium","object":"malware","object.account.domain":"desktop-u2fh49e","object.account.id":"S-1-5-21-2461812536-2730023992-3484359750-1001","object.account.name":"qwer","object.account.session_id":"787291","object.process.cmdline":"powershell Start-BitsTransfer c:\\windows","object.process.fullpath":"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe","object.process.id":"5140","object.process.name":"powershell.exe","object.process.parent.fullpath":"c:\\windows\\system32\\cmd.exe","object.process.parent.id":"10160","object.process.parent.name":"cmd.exe","object.process.parent.path":"c:\\windows\\system32\\","object.process.path":"c:\\windows\\system32\\windowspowershell\\v1.0\\","status":"success","subject.account.domain":"desktop-u2fh49e","subject.account.id":"S-1-5-21-2461812536-2730023992-3484359750-1001","subject.account.name":"qwer","subject.account.privileges":"TokenElevationTypeLimited","subject.account.session_id":"787291"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_suspicious_process/i18n/i18n_en.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_suspicious_process/i18n/i18n_en.yaml new file mode 100644 index 00000000..3b370778 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_suspicious_process/i18n/i18n_en.yaml @@ -0,0 +1,4 @@ +Description: 'Creating a BITS task by a non-whitelist process' +EventDescriptions: + - LocalizationId: 'corrname_Create_bits_job_suspicious_process' + EventDescription: 'There is a suspicious process on the {event_src.host} host {object.process.fullpath} created the BITS task' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_suspicious_process/i18n/i18n_ru.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_suspicious_process/i18n/i18n_ru.yaml new file mode 100644 index 00000000..3e687632 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_suspicious_process/i18n/i18n_ru.yaml @@ -0,0 +1,4 @@ +Description: 'Создание задачи BITS процессом не из whitelist' +EventDescriptions: + - LocalizationId: 'corrname_Create_bits_job_suspicious_process' + EventDescription: 'На хосте {event_src.host} подозрительный процесс {object.process.fullpath} создал задачу BITS' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_suspicious_process/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_suspicious_process/metainfo.yaml new file mode 100644 index 00000000..1d910f32 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_suspicious_process/metainfo.yaml @@ -0,0 +1,25 @@ +ContentAutoName: Create_bits_job_suspicious_process +ExpertContext: + Created: 13.08.2024 + Updated: 13.08.2024 + KnowledgeHolders: + - d3f0x0 (Vadim Varganov) + Usecases: + - Attacker create BITS for download or upload file, C2 + Falsepositives: + - Administrative action + References: [] + Improvements: [] + DataSources: + - Provider: Microsoft-Windows-Bits-Client + EventID: + - 3 +ObjectId: SEC-CR-447239112 +ContentRelations: + Implements: + ATTACK: + command-and-control: + - T1105 +EventDescriptions: + - Criteria: correlation_name = "Create_bits_job_suspicious_process" + LocalizationId: corrname_Create_bits_job_suspicious_process diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_suspicious_process/rule.co b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_suspicious_process/rule.co new file mode 100644 index 00000000..29b487e7 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_suspicious_process/rule.co @@ -0,0 +1,61 @@ +query CheckProcess($fullpath) from BITS_process_whitelist { + regex_match($fullpath, column::fullpath) +} + +event Bits_create_job: + key: + event_src.host + filter { + msgid == "3" + and event_src.id == "Microsoft-Windows-Bits-Client" + and select_query_first("CheckProcess", [lower(object.process.fullpath)], "fullpath") == null + } + + +rule Create_bits_job_suspicious_process: Bits_create_job + +on Bits_create_job { + + $object.name = object.name + $object.account.fullname = object.account.fullname + $object.account.name = object.account.name + $object.account.domain = object.account.domain + + $object.process.fullpath = object.process.fullpath + $object.process.name = object.process.name + $object.process.id = object.process.id + $object.id = object.id + $event_src.fqdn = event_src.fqdn + $event_src.hostname = event_src.hostname + $event_src.host = event_src.hostname + + $event_src.vendor = event_src.vendor + $event_src.title = event_src.title + $event_src.subsys = event_src.subsys + $event_src.category = event_src.category + $event_src.id = event_src.id + + $subject = subject + $action = action + $object = object + $status = status +} + + +emit { + $correlation_type = "incident" + + $importance = "medium" + + $category.generic = "Attack" + $category.high = "Command and Control" + $category.low = "Ingress Tool Transfer" + + $incident.severity = "medium" + $incident.category = "Undefined" + + $incident.aggregation.key = join([$correlation_name, $event_src.host, $object.id], "|") + $incident.severity = $importance + $incident.aggregation.timeout = 2h + +} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_suspicious_process/tests/raw_events_1.json b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_suspicious_process/tests/raw_events_1.json new file mode 100644 index 00000000..818c2612 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_suspicious_process/tests/raw_events_1.json @@ -0,0 +1,6 @@ +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Bits-Client\",\"Guid\":\"{ef1cc15b-46c1-414e-bb95-e76b077bd51e}\"},\"EventID\":\"60\",\"Version\":\"1\",\"Level\":\"4\",\"Task\":\"0\",\"Opcode\":\"2\",\"Keywords\":\"0x4000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2021-03-15 18:53:54.317511\"},\"EventRecordID\":\"9397\",\"Correlation\":{\"ActivityID\":\"{3890f7bf-e4a4-48e5-b550-5ed41936d17f}\"},\"Execution\":{\"ProcessID\":\"8100\",\"ThreadID\":\"5972\"},\"Channel\":\"Microsoft-Windows-Bits-Client/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"transferId\",\"text\":\"{3890f7bf-e4a4-48e5-b550-5ed41936d17f}\"},{\"Name\":\"name\",\"text\":\"Push Notification Platform Job: 1\"},{\"Name\":\"Id\",\"text\":\"{3867d376-2568-4730-90e4-d460ff9d4dc9}\"},{\"Name\":\"url\",\"text\":\"https://site-cdn.onenote.net/161390740451_Images/LiveTileImages/MediumAndLarge/Image2.png\"},{\"Name\":\"peer\"},{\"Name\":\"hr\",\"text\":\"0\"},{\"Name\":\"fileTime\",\"text\":\"2021-03-08 00:10:28\"},{\"Name\":\"fileLength\",\"text\":\"30038\"},{\"Name\":\"bytesTotal\",\"text\":\"30038\"},{\"Name\":\"bytesTransferred\",\"text\":\"30038\"},{\"Name\":\"proxy\"},{\"Name\":\"peerProtocolFlags\",\"text\":\"0\"},{\"Name\":\"bytesTransferredFromPeer\",\"text\":\"0\"},{\"Name\":\"AdditionalInfoHr\",\"text\":\"0\"},{\"Name\":\"PeerContextInfo\",\"text\":\"0\"},{\"Name\":\"bandwidthLimit\",\"text\":\"18446744073709551615\"},{\"Name\":\"ignoreBandwidthLimitsOnLan\",\"text\":\"False\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2024-07-04T08:22:05.637Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"1c552bbc-1276-4a8a-bd36-93a55cb936dc"} +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Bits-Client\",\"Guid\":\"{ef1cc15b-46c1-414e-bb95-e76b077bd51e}\"},\"EventID\":\"4\",\"Version\":\"1\",\"Level\":\"4\",\"Task\":\"0\",\"Opcode\":\"0\",\"Keywords\":\"0x4000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2021-03-15 18:53:54.320107\"},\"EventRecordID\":\"9398\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"8100\",\"ThreadID\":\"5972\"},\"Channel\":\"Microsoft-Windows-Bits-Client/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"jobTitle\",\"text\":\"Push Notification Platform Job: 1\"},{\"Name\":\"jobId\",\"text\":\"{3867d376-2568-4730-90e4-d460ff9d4dc9}\"},{\"Name\":\"jobOwner\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"fileCount\",\"text\":\"1\"},{\"Name\":\"bytesTransferred\",\"text\":\"30038\"},{\"Name\":\"bytesTransferredFromPeer\",\"text\":\"0\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2024-07-04T08:22:05.637Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"2c1eedc7-54b9-4dc8-9ac1-0908f9eea2a4"} +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Bits-Client\",\"Guid\":\"{ef1cc15b-46c1-414e-bb95-e76b077bd51e}\"},\"EventID\":\"3\",\"Version\":\"2\",\"Level\":\"4\",\"Task\":\"0\",\"Opcode\":\"0\",\"Keywords\":\"0x4000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2021-03-15 18:54:14.168472\"},\"EventRecordID\":\"9399\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"8100\",\"ThreadID\":\"8184\"},\"Channel\":\"Microsoft-Windows-Bits-Client/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"jobTitle\",\"text\":\"efc1a28b.png\"},{\"Name\":\"jobId\",\"text\":\"{2655ebaf-2c16-4e2d-90e3-99c5249cc4f3}\"},{\"Name\":\"jobOwner\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"processPath\",\"text\":\"C:\\\\Windows\\\\SysWOW64\\\\notepad.exe\"},{\"Name\":\"processId\",\"text\":\"4016\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2024-07-04T08:22:05.637Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"53424746-3d92-4b7a-b4fe-2113f86408bd"} +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Bits-Client\",\"Guid\":\"{ef1cc15b-46c1-414e-bb95-e76b077bd51e}\"},\"EventID\":\"59\",\"Version\":\"1\",\"Level\":\"4\",\"Task\":\"0\",\"Opcode\":\"1\",\"Keywords\":\"0x4000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2021-03-15 18:54:15.647333\"},\"EventRecordID\":\"9400\",\"Correlation\":{\"ActivityID\":\"{914d3c21-a45e-43d5-bcff-9e53b581ce2d}\"},\"Execution\":{\"ProcessID\":\"8100\",\"ThreadID\":\"5432\"},\"Channel\":\"Microsoft-Windows-Bits-Client/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"transferId\",\"text\":\"{914d3c21-a45e-43d5-bcff-9e53b581ce2d}\"},{\"Name\":\"name\",\"text\":\"efc1a28b.png\"},{\"Name\":\"Id\",\"text\":\"{2655ebaf-2c16-4e2d-90e3-99c5249cc4f3}\"},{\"Name\":\"url\",\"text\":\"https://i.imgur.com/IFpvPlt.png\"},{\"Name\":\"peer\"},{\"Name\":\"fileTime\",\"text\":\"2021-02-24 21:52:17\"},{\"Name\":\"fileLength\",\"text\":\"394556\"},{\"Name\":\"bytesTotal\",\"text\":\"394556\"},{\"Name\":\"bytesTransferred\",\"text\":\"0\"},{\"Name\":\"bytesTransferredFromPeer\",\"text\":\"0\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2024-07-04T08:22:05.637Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"c17d1351-5783-4a2d-b76b-f9ac39aa5bc4"} +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Bits-Client\",\"Guid\":\"{ef1cc15b-46c1-414e-bb95-e76b077bd51e}\"},\"EventID\":\"60\",\"Version\":\"1\",\"Level\":\"4\",\"Task\":\"0\",\"Opcode\":\"2\",\"Keywords\":\"0x4000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2021-03-15 18:54:50.487825\"},\"EventRecordID\":\"9401\",\"Correlation\":{\"ActivityID\":\"{914d3c21-a45e-43d5-bcff-9e53b581ce2d}\"},\"Execution\":{\"ProcessID\":\"8100\",\"ThreadID\":\"8184\"},\"Channel\":\"Microsoft-Windows-Bits-Client/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"transferId\",\"text\":\"{914d3c21-a45e-43d5-bcff-9e53b581ce2d}\"},{\"Name\":\"name\",\"text\":\"efc1a28b.png\"},{\"Name\":\"Id\",\"text\":\"{2655ebaf-2c16-4e2d-90e3-99c5249cc4f3}\"},{\"Name\":\"url\",\"text\":\"https://i.imgur.com/IFpvPlt.png\"},{\"Name\":\"peer\"},{\"Name\":\"hr\",\"text\":\"0\"},{\"Name\":\"fileTime\",\"text\":\"2021-02-24 21:52:17\"},{\"Name\":\"fileLength\",\"text\":\"394556\"},{\"Name\":\"bytesTotal\",\"text\":\"394556\"},{\"Name\":\"bytesTransferred\",\"text\":\"394556\"},{\"Name\":\"proxy\"},{\"Name\":\"peerProtocolFlags\",\"text\":\"0\"},{\"Name\":\"bytesTransferredFromPeer\",\"text\":\"0\"},{\"Name\":\"AdditionalInfoHr\",\"text\":\"0\"},{\"Name\":\"PeerContextInfo\",\"text\":\"0\"},{\"Name\":\"bandwidthLimit\",\"text\":\"18446744073709551615\"},{\"Name\":\"ignoreBandwidthLimitsOnLan\",\"text\":\"False\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2024-07-04T08:22:05.637Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"2758b8c0-d0eb-43a3-a233-032900d590a8"} +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Bits-Client\",\"Guid\":\"{ef1cc15b-46c1-414e-bb95-e76b077bd51e}\"},\"EventID\":\"4\",\"Version\":\"1\",\"Level\":\"4\",\"Task\":\"0\",\"Opcode\":\"0\",\"Keywords\":\"0x4000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2021-03-15 18:54:51.653753\"},\"EventRecordID\":\"9402\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"8100\",\"ThreadID\":\"8184\"},\"Channel\":\"Microsoft-Windows-Bits-Client/Operational\",\"Computer\":\"MSEDGEWIN10\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"User\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"jobTitle\",\"text\":\"efc1a28b.png\"},{\"Name\":\"jobId\",\"text\":\"{2655ebaf-2c16-4e2d-90e3-99c5249cc4f3}\"},{\"Name\":\"jobOwner\",\"text\":\"MSEDGEWIN10\\\\IEUser\"},{\"Name\":\"fileCount\",\"text\":\"1\"},{\"Name\":\"bytesTransferred\",\"text\":\"394556\"},{\"Name\":\"bytesTransferredFromPeer\",\"text\":\"0\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2024-07-04T08:22:05.637Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"3cd0e43b-dfdb-40f7-8ce1-994403585b93"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_suspicious_process/tests/test_conds_1.tc b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_suspicious_process/tests/test_conds_1.tc new file mode 100644 index 00000000..0f10dfe5 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Create_bits_job_suspicious_process/tests/test_conds_1.tc @@ -0,0 +1 @@ +expect 1 {"action":"create","category.generic":"Attack","category.high":"Command and Control","category.low":"Ingress Tool Transfer","correlation_name":"Create_bits_job_suspicious_process","correlation_type":"incident","event_src.category":"Operating system","event_src.fqdn":"msedgewin10","event_src.host":"msedgewin10","event_src.hostname":"msedgewin10","event_src.id":"Microsoft-Windows-Bits-Client","event_src.subsys":"Microsoft-Windows-Bits-Client/Operational","event_src.title":"windows","event_src.vendor":"microsoft","importance":"medium","incident.aggregation.key":"Create_bits_job_suspicious_process|msedgewin10|{2655ebaf-2c16-4e2d-90e3-99c5249cc4f3}","incident.aggregation.timeout":7200,"incident.category":"Undefined","incident.severity":"medium","object":"task","object.account.domain":"MSEDGEWIN10","object.account.fullname":"MSEDGEWIN10\\IEUser","object.account.name":"IEUser","object.id":"{2655ebaf-2c16-4e2d-90e3-99c5249cc4f3}","object.name":"efc1a28b.png","object.process.fullpath":"C:\\Windows\\SysWOW64\\notepad.exe","object.process.id":"4016","object.process.name":"notepad.exe","status":"success"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Download_file_via_bits/i18n/i18n_en.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Download_file_via_bits/i18n/i18n_en.yaml new file mode 100644 index 00000000..ff2a89ed --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Download_file_via_bits/i18n/i18n_en.yaml @@ -0,0 +1,4 @@ +Description: 'When downloading a file using BITS, a temporary BIT.tmp file is created' +EventDescriptions: + - LocalizationId: 'corrname_Download_file_via_bits' + EventDescription: 'A temporary BITS service file has been created on the {event_src.host} host {object.fullpath}' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Download_file_via_bits/i18n/i18n_ru.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Download_file_via_bits/i18n/i18n_ru.yaml new file mode 100644 index 00000000..30d523ca --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Download_file_via_bits/i18n/i18n_ru.yaml @@ -0,0 +1,4 @@ +Description: 'При загрузке файла с помощью BITS, создается временный файл BIT.tmp' +EventDescriptions: + - LocalizationId: 'corrname_Download_file_via_bits' + EventDescription: 'На хосте {event_src.host} создан временный файл службы BITS {object.fullpath}' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Download_file_via_bits/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Download_file_via_bits/metainfo.yaml new file mode 100644 index 00000000..11288e65 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Download_file_via_bits/metainfo.yaml @@ -0,0 +1,28 @@ +ContentAutoName: Download_file_via_bits +ExpertContext: + Created: 21.07.2024 + Updated: 21.07.2024 + KnowledgeHolders: + - d3f0x0 (Vadim Varganov) + Usecases: + - Download payload via BITS + Falsepositives: + - Administrative action + References: [] + Improvements: [] + DataSources: + - Provider: Microsoft-Windows-Security-Auditing + EventID: + - 4663 + - Provider: Microsoft-Windows-Sysmon + EventID: + - 11 +ObjectId: SEC-CR-581325244 +ContentRelations: + Implements: + ATTACK: + command-and-control: + - T1105 +EventDescriptions: + - Criteria: correlation_name = "Download_file_via_bits" + LocalizationId: corrname_Download_file_via_bits diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Download_file_via_bits/rule.co b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Download_file_via_bits/rule.co new file mode 100644 index 00000000..24c8e5f7 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Download_file_via_bits/rule.co @@ -0,0 +1,71 @@ +event Create_file: + key: + event_src.host + filter { + filter::NotFromCorrelator() + and filter::FileCreate_Windows() + and regex(lower(object.name), "bit[\w\d]+\.tmp", 0) != null + } + +rule Download_file_via_bits: Create_file + +on Create_file { + $datafield1 = datafield1 + $datafield5 = datafield5 + + $event_src.ip = event_src.ip + $event_src.hostname = event_src.hostname + $event_src.host = event_src.host + $event_src.asset = event_src.asset + $event_src.title = event_src.title + $event_src.subsys = event_src.subsys + $event_src.vendor = event_src.vendor + $event_src.category = event_src.category + $event_src.rule = event_src.rule + + $importance = importance + + $object.name = object.name + $object.path = object.path + $object.fullpath = object.fullpath + $object.type = object.type + $object.property = object.property + $object.value = object.value + $object.new_value = object.new_value + $object.query = object.query + + $status = status + + $subject = subject + $subject.account.name = subject.account.name + $subject.account.fullname = subject.account.fullname + $subject.account.domain = subject.account.domain + $subject.account.session_id = subject.account.session_id + $subject.account.id = subject.account.id + $subject.account.privileges = subject.account.privileges + + $subject.process.id = subject.process.id + $subject.process.name = subject.process.name + $subject.process.path = subject.process.path + $subject.process.fullpath = subject.process.fullpath + $subject.process.hash = subject.process.hash + $subject.process.version = subject.process.version + $subject.process.cmdline = subject.process.cmdline + $subject.process.guid = subject.process.guid + $subject.process.meta = subject.process.meta + $subject.process.original_name = subject.process.original_name + $subject.process.cwd = subject.process.cwd + $subject.process.chain = subject.process.chain + +} + +emit { + $correlation_type = "event" + + $subject = "process" + $action = "download" + $object = "file_object" + $status = "success" + + $importance = "medium" +} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Download_file_via_bits/tests/raw_events_1.json b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Download_file_via_bits/tests/raw_events_1.json new file mode 100644 index 00000000..8986c1bc --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Download_file_via_bits/tests/raw_events_1.json @@ -0,0 +1 @@ +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Security-Auditing\",\"Guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\"},\"EventID\":\"4663\",\"Version\":\"1\",\"Level\":\"0\",\"Task\":\"12800\",\"Opcode\":\"0\",\"Keywords\":\"0x8020000000000000\",\"TimeCreated\":{\"SystemTime\":\"2024-07-22T03:40:29.682708600Z\"},\"EventRecordID\":\"145236\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"4\",\"ThreadID\":\"3256\"},\"Channel\":\"Security\",\"Computer\":\"DESKTOP-5SG4NV1\",\"Security\":\"\"},\"EventData\":{\"Data\":[{\"Name\":\"SubjectUserSid\",\"text\":\"S-1-5-18\"},{\"Name\":\"SubjectUserName\",\"text\":\"DESKTOP-5SG4NV1$\"},{\"Name\":\"SubjectDomainName\",\"text\":\"WORKGROUP\"},{\"Name\":\"SubjectLogonId\",\"text\":\"0x3e7\"},{\"Name\":\"ObjectServer\",\"text\":\"Security\"},{\"Name\":\"ObjectType\",\"text\":\"File\"},{\"Name\":\"ObjectName\",\"text\":\"C:\\\\Users\\\\qwer\\\\Downloads\\\\BIT32C7.tmp\"},{\"Name\":\"HandleId\",\"text\":\"0x89c\"},{\"Name\":\"AccessList\",\"text\":\"%%4417\"},{\"Name\":\"AccessMask\",\"text\":\"0x2\"},{\"Name\":\"ProcessId\",\"text\":\"0xd3c\"},{\"Name\":\"ProcessName\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"ResourceAttributes\",\"text\":\"S:AI(RA;ID;;;;WD;(\\\"IMAGELOAD\\\",TU,0x0,1))\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2024-07-21T17:41:28.395Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"72e39fe5-75c5-42a0-b706-20b726a23d99"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Download_file_via_bits/tests/test_conds_1.tc b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Download_file_via_bits/tests/test_conds_1.tc new file mode 100644 index 00000000..151dfbde --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Download_file_via_bits/tests/test_conds_1.tc @@ -0,0 +1 @@ +expect 1 {"action":"download","correlation_name":"Download_file_via_bits","correlation_type":"event","datafield1":"0x89c","datafield5":"0x2","event_src.category":"Operating system","event_src.host":"desktop-5sg4nv1","event_src.hostname":"desktop-5sg4nv1","event_src.subsys":"Security","event_src.title":"windows","event_src.vendor":"microsoft","importance":"medium","object":"file_object","object.fullpath":"c:\\users\\qwer\\downloads\\bit32c7.tmp","object.name":"bit32c7.tmp","object.path":"c:\\users\\qwer\\downloads\\","object.property":"GrantedAccess","object.type":"file","object.value":"0x2","status":"success","subject":"process","subject.account.domain":"workgroup","subject.account.id":"S-1-5-18","subject.account.name":"desktop-5sg4nv1$","subject.account.privileges":"%%4417","subject.account.session_id":"999","subject.process.fullpath":"C:\\Windows\\System32\\svchost.exe","subject.process.id":"3388","subject.process.name":"svchost.exe","subject.process.path":"C:\\Windows\\System32\\"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Used_bits_over_custom_binary/i18n/i18n_en.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Used_bits_over_custom_binary/i18n/i18n_en.yaml new file mode 100644 index 00000000..c956f896 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Used_bits_over_custom_binary/i18n/i18n_en.yaml @@ -0,0 +1,4 @@ +Description: 'A library has been downloaded that allows you to interact with BITS' +EventDescriptions: + - LocalizationId: 'corrname_Used_bits_over_custom_binary' + EventDescription: 'There is a suspicious process on the {event_src.host} host {subject.process.fullpath} loaded the library {object.process.fullpath}' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Used_bits_over_custom_binary/i18n/i18n_ru.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Used_bits_over_custom_binary/i18n/i18n_ru.yaml new file mode 100644 index 00000000..6be4952c --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Used_bits_over_custom_binary/i18n/i18n_ru.yaml @@ -0,0 +1,4 @@ +Description: 'Загружена библиотека, позволяющая взаимодействовать с BITS' +EventDescriptions: + - LocalizationId: 'corrname_Used_bits_over_custom_binary' + EventDescription: 'На хосте {event_src.host} подозрительный процесс {subject.process.fullpath} загрузил библиотеку {object.process.fullpath}' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Used_bits_over_custom_binary/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Used_bits_over_custom_binary/metainfo.yaml new file mode 100644 index 00000000..11ca6031 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Used_bits_over_custom_binary/metainfo.yaml @@ -0,0 +1,25 @@ +ContentAutoName: Used_bits_over_custom_binary +ExpertContext: + Created: 21.07.2024 + Updated: 14.08.2024 + KnowledgeHolders: + - Vadim Varganov (d3f0x0) + Usecases: + - Upload, download or execute payload over BITS + Falsepositives: + - Administrative action + References: [] + Improvements: [] + DataSources: + - Provider: Microsoft-Windows-Sysmon + EventID: + - 7 +ObjectId: SEC-CR-102100675 +ContentRelations: + Implements: + ATTACK: + command-and-control: + - T1105 +EventDescriptions: + - Criteria: correlation_name = "Used_bits_over_custom_binary" + LocalizationId: corrname_Used_bits_over_custom_binary diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Used_bits_over_custom_binary/rule.co b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Used_bits_over_custom_binary/rule.co new file mode 100644 index 00000000..86643572 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Used_bits_over_custom_binary/rule.co @@ -0,0 +1,97 @@ +query CheckProcess($fullpath) from BITS_process_whitelist { + regex_match($fullpath, column::fullpath) +} + + +event Image_load: + key: + event_src.host + filter { + filter::NotFromCorrelator() + and msgid == "7" and event_src.title == "sysmon" + and select_query_first("CheckProcess", [lower(subject.process.fullpath)], "fullpath") == null + and in_list(["bitsproxy.dll", "microsoft.backgroundintelligenttransfer.management.interop.dll"], lower(object.process.name)) + } + + +rule Used_bits_over_custom_binary: Image_load[1,5] timer 1m +on Image_load { + + $action = action + + $event_src.ip = event_src.ip + $event_src.hostname = event_src.hostname + $event_src.host = event_src.host + $event_src.asset = event_src.asset + $event_src.title = event_src.title + $event_src.subsys = event_src.subsys + $event_src.vendor = event_src.vendor + $event_src.category = event_src.category + $event_src.rule = event_src.rule + + $object = object + $object.value = object.value + + $object.process.id = object.process.id + $object.process.name = object.process.name + $object.process.path = object.process.path + $object.process.fullpath = object.process.fullpath + $object.process.hash = object.process.hash + $object.process.hash.md5 = object.process.hash.md5 + $object.process.hash.sha1 = object.process.hash.sha1 + $object.process.hash.sha256 = object.process.hash.sha256 + $object.process.version = object.process.version + $object.process.cmdline = object.process.cmdline + $object.process.guid = object.process.guid + $object.process.meta = object.process.meta + $object.process.original_name = object.process.original_name + $object.process.cwd = object.process.cwd + $object.process.chain = object.process.chain + $object.process.hash.imphash = object.process.hash.imphash + $object.property = object.property + + $status = status + $subject = subject + + $subject.account.name = subject.account.name + $subject.account.fullname = subject.account.fullname + $subject.account.domain = subject.account.domain + $subject.account.session_id = subject.account.session_id + $subject.account.id = subject.account.id + $subject.account.privileges = subject.account.privileges + + $subject.process.id = subject.process.id + + $subject.process.name = subject.process.name + $subject.process.path = subject.process.path + + $subject.process.fullpath = subject.process.fullpath + $subject.process.hash = subject.process.hash + $subject.process.version = subject.process.version + $subject.process.cmdline = subject.process.cmdline + $subject.process.guid = subject.process.guid + $subject.process.meta = subject.process.meta + $subject.process.original_name = subject.process.original_name + $subject.process.cwd = subject.process.cwd + $subject.process.chain = subject.process.chain + +} + + +emit { + $correlation_type = "incident" + + $importance = "medium" + + $category.generic = "Attack" + $category.high = "Command and Control" + $category.low = "Ingress Tool Transfer" + + $incident.severity = "medium" + $incident.category = "Undefined" + + $incident.aggregation.key = join([$correlation_name, $event_src.host, $object.process.name], "|") + $incident.severity = $importance + $incident.aggregation.timeout = 2h + +} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Used_bits_over_custom_binary/tests/raw_events_1.json b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Used_bits_over_custom_binary/tests/raw_events_1.json new file mode 100644 index 00000000..c86e56f6 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Used_bits_over_custom_binary/tests/raw_events_1.json @@ -0,0 +1 @@ +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"7\",\"Version\":\"3\",\"Level\":\"4\",\"Task\":\"7\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2024-08-14T11:19:54.9230125Z\"},\"EventRecordID\":\"13876932\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"3804\",\"ThreadID\":\"4572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"DESKTOP-U2FH49E\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\",\"text\":\"-\"},{\"Name\":\"UtcTime\",\"text\":\"2024-08-14 11:19:54.916\"},{\"Name\":\"ProcessGuid\",\"text\":\"{95af35c7-92da-66bc-a601-000000001300}\"},{\"Name\":\"ProcessId\",\"text\":\"4540\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\bitsadmin.exe\"},{\"Name\":\"ImageLoaded\",\"text\":\"C:\\\\Windows\\\\System32\\\\BitsProxy.dll\"},{\"Name\":\"FileVersion\",\"text\":\"7.8.19041.1 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Background Intelligent Transfer Service Proxy\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"qmgrprxy.dll\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=F76CEB9DA1BD2F4E9C02E49758C654630518A066,MD5=B3E2BAEAD079C29BC16CAA7830A17FA6,SHA256=E72BF2ADCE95F764BD880A458B04BA0BEBB0EBA7EB3473A29FDBE3A98F1A86D5,IMPHASH=44BEE37A834D6E66277D9ADD2D131FC2\"},{\"Name\":\"Signed\",\"text\":\"true\"},{\"Name\":\"Signature\",\"text\":\"Microsoft Windows\"},{\"Name\":\"SignatureStatus\",\"text\":\"Valid\"},{\"Name\":\"User\",\"text\":\"DESKTOP-U2FH49E\\\\qwer\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2024-08-14T11:20:41.197Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"cbfde640-bfad-4524-af88-11fbaa1598f5"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Used_bits_over_custom_binary/tests/test_conds_1.tc b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Used_bits_over_custom_binary/tests/test_conds_1.tc new file mode 100644 index 00000000..4a7ef466 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Used_bits_over_custom_binary/tests/test_conds_1.tc @@ -0,0 +1 @@ +expect 1 {"action":"start","category.generic":"Attack","category.high":"Command and Control","category.low":"Ingress Tool Transfer","correlation_name":"Used_bits_over_custom_binary","correlation_type":"incident","event_src.category":"Other","event_src.host":"desktop-u2fh49e","event_src.hostname":"desktop-u2fh49e","event_src.rule":"-","event_src.subsys":"Microsoft-Windows-Sysmon/Operational","event_src.title":"sysmon","event_src.vendor":"microsoft","importance":"medium","incident.aggregation.key":"Used_bits_over_custom_binary|desktop-u2fh49e|bitsproxy.dll","incident.aggregation.timeout":7200,"incident.category":"Undefined","incident.severity":"medium","object":"module","object.process.fullpath":"c:\\windows\\system32\\bitsproxy.dll","object.process.hash.imphash":"44BEE37A834D6E66277D9ADD2D131FC2","object.process.hash.md5":"B3E2BAEAD079C29BC16CAA7830A17FA6","object.process.hash.sha1":"F76CEB9DA1BD2F4E9C02E49758C654630518A066","object.process.hash.sha256":"E72BF2ADCE95F764BD880A458B04BA0BEBB0EBA7EB3473A29FDBE3A98F1A86D5","object.process.meta":"Description:Background Intelligent Transfer Service Proxy | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation","object.process.name":"bitsproxy.dll","object.process.original_name":"qmgrprxy.dll","object.process.path":"c:\\windows\\system32\\","object.property":"signature status","object.value":"Valid | Microsoft Windows","status":"success","subject":"process","subject.account.domain":"desktop-u2fh49e","subject.account.id":"synthetic:qwer@desktop-u2fh49e","subject.account.name":"qwer","subject.process.fullpath":"c:\\windows\\system32\\bitsadmin.exe","subject.process.guid":"95af35c7-92da-66bc-a601-000000001300","subject.process.id":"4540","subject.process.name":"bitsadmin.exe","subject.process.path":"c:\\windows\\system32\\"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Windows_defender_BITS_alert/i18n/i18n_en.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Windows_defender_BITS_alert/i18n/i18n_en.yaml new file mode 100644 index 00000000..ec9e2658 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Windows_defender_BITS_alert/i18n/i18n_en.yaml @@ -0,0 +1,4 @@ +Description: 'The Windows Defender alert indicates the use of BITS' +EventDescriptions: + - LocalizationId: 'corrname_Windows_defender_BITS_alert' + EventDescription: 'On the {event_src.host} host, Windows Defender detected the operation of BITS {object.name}' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Windows_defender_BITS_alert/i18n/i18n_ru.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Windows_defender_BITS_alert/i18n/i18n_ru.yaml new file mode 100644 index 00000000..c11c0b08 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Windows_defender_BITS_alert/i18n/i18n_ru.yaml @@ -0,0 +1,4 @@ +Description: 'Алерт Windows Defender указывает на использование BITS' +EventDescriptions: + - LocalizationId: 'corrname_Windows_defender_BITS_alert' + EventDescription: 'На хосте {event_src.host} Windows Defender обнаружил эксплуатацию BITS {object.name}' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Windows_defender_BITS_alert/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Windows_defender_BITS_alert/metainfo.yaml new file mode 100644 index 00000000..ef5d7e11 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Windows_defender_BITS_alert/metainfo.yaml @@ -0,0 +1,25 @@ +ContentAutoName: Windows_defender_BITS_alert +ExpertContext: + Created: 14.08.2024 + Updated: 14.08.2024 + KnowledgeHolders: + - Vadim Varganov (d3f0x0) + Usecases: + - Attacker create BITS for download or upload file, C2 + Falsepositives: + - Administrative action + References: [] + Improvements: [] + DataSources: + - Provider: Microsoft-Windows-Security-Auditing + EventID: + - 1116 +ObjectId: SEC-CR-786275278 +ContentRelations: + Implements: + ATTACK: + command-and-control: + - T1105 +EventDescriptions: + - Criteria: correlation_name = "Windows_defender_BITS_alert" + LocalizationId: corrname_Windows_defender_BITS_alert diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Windows_defender_BITS_alert/rule.co b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Windows_defender_BITS_alert/rule.co new file mode 100644 index 00000000..9fd1b054 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Windows_defender_BITS_alert/rule.co @@ -0,0 +1,55 @@ +event Defender_alert: + key: + event_src.host + filter { + msgid == "1116" + and event_src.subsys == "Microsoft-Windows-Windows Defender/Operational" + and match(lower(object.name), "*bits*") + } + + +rule Windows_defender_BITS_alert: Defender_alert+ timer 5m +on Defender_alert { + + if $object.name == null then + $object.name = object.name + else + $object.name = $object.name + ";" + object.name + endif + + if $object.path == null then + $object.path = object.path + else + $object.path = $object.path + ";" + object.path + endif + + $event_src.ip = event_src.ip + $event_src.hostname = event_src.hostname + $event_src.host = event_src.host + $event_src.asset = event_src.asset + $event_src.title = event_src.title + $event_src.subsys = event_src.subsys + $event_src.vendor = event_src.vendor + $event_src.category = event_src.category + $event_src.rule = event_src.rule +} + +emit { + $correlation_type = "incident" + $importance = "medium" + + $action = "alert" + $object = "malware" + $status = "success" + + $category.generic = "Attack" + $category.high = "Command and Control" + $category.low = "Ingress Tool Transfer" + + $incident.severity = "medium" + $incident.category = "Undefined" + + $incident.aggregation.key = join([$correlation_name, $event_src.hostname], "|") + $incident.severity = $importance + $incident.aggregation.timeout = 2h +} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Windows_defender_BITS_alert/tests/raw_events_1.json b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Windows_defender_BITS_alert/tests/raw_events_1.json new file mode 100644 index 00000000..99cae9d1 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Windows_defender_BITS_alert/tests/raw_events_1.json @@ -0,0 +1,2 @@ +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Windows Defender\",\"Guid\":\"{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}\"},\"EventID\":\"1116\",\"Version\":\"0\",\"Level\":\"3\",\"Task\":\"0\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2024-08-11T19:12:07.0269902Z\"},\"EventRecordID\":\"1048\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"3580\",\"ThreadID\":\"9944\"},\"Channel\":\"Microsoft-Windows-Windows Defender/Operational\",\"Computer\":\"DESKTOP-U2FH49E\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"Product Name\",\"text\":\"Антивирусная программа Microsoft Defender\"},{\"Name\":\"Product Version\",\"text\":\"4.18.24070.5\"},{\"Name\":\"Detection ID\",\"text\":\"{0996C103-B7FE-4A70-AB5A-B4502F50A2B8}\"},{\"Name\":\"Detection Time\",\"text\":\"2024-08-11T19:12:07.019Z\"},{\"Name\":\"Unused\"},{\"Name\":\"Unused2\"},{\"Name\":\"Threat ID\",\"text\":\"2147729613\"},{\"Name\":\"Threat Name\",\"text\":\"Trojan:Win32/BITSAbuse.AS\"},{\"Name\":\"Severity ID\",\"text\":\"5\"},{\"Name\":\"Severity Name\",\"text\":\"Критический\"},{\"Name\":\"Category ID\",\"text\":\"8\"},{\"Name\":\"Category Name\",\"text\":\"Троян\"},{\"Name\":\"FWLink\",\"text\":\"https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/BITSAbuse.AS&threatid=2147729613&enterprise=0\"},{\"Name\":\"Status Code\",\"text\":\"1\"},{\"Name\":\"Status Description\"},{\"Name\":\"State\",\"text\":\"1\"},{\"Name\":\"Source ID\",\"text\":\"2\"},{\"Name\":\"Source Name\",\"text\":\"Система\"},{\"Name\":\"Process Name\",\"text\":\"Unknown\"},{\"Name\":\"Detection User\",\"text\":\"NT AUTHORITY\\\\СИСТЕМА\"},{\"Name\":\"Unused3\"},{\"Name\":\"Path\",\"text\":\"CmdLine:_C:\\\\Windows\\\\System32\\\\bitsadmin.exe /addfile 1 c:\\\\Users\\\\qwer\\\\1.txt c:\\\\users\\\\qwer\\\\qwer11.qwer1\"},{\"Name\":\"Origin ID\",\"text\":\"0\"},{\"Name\":\"Origin Name\",\"text\":\"Неизвестно\"},{\"Name\":\"Execution ID\",\"text\":\"0\"},{\"Name\":\"Execution Name\",\"text\":\"Неизвестно\"},{\"Name\":\"Type ID\",\"text\":\"0\"},{\"Name\":\"Type Name\",\"text\":\"Конкретный\"},{\"Name\":\"Pre Execution Status\",\"text\":\"0\"},{\"Name\":\"Action ID\",\"text\":\"9\"},{\"Name\":\"Action Name\",\"text\":\"Неприменимо\"},{\"Name\":\"Unused4\"},{\"Name\":\"Error Code\",\"text\":\"0x00000000\"},{\"Name\":\"Error Description\",\"text\":\"Операция успешно завершена.\"},{\"Name\":\"Unused5\"},{\"Name\":\"Post Clean Status\",\"text\":\"0\"},{\"Name\":\"Additional Actions ID\",\"text\":\"0\"},{\"Name\":\"Additional Actions String\",\"text\":\"No additional actions required\"},{\"Name\":\"Remediation User\"},{\"Name\":\"Unused6\"},{\"Name\":\"Security intelligence Version\",\"text\":\"AV: 1.417.66.0, AS: 1.417.66.0, NIS: 1.417.66.0\"},{\"Name\":\"Engine Version\",\"text\":\"AM: 1.1.24070.3, NIS: 1.1.24070.3\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2024-08-14T19:42:48.043Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"ac4dacf9-c85f-4901-8039-0f6a26c6f2d4"} +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Windows Defender\",\"Guid\":\"{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}\"},\"EventID\":\"1116\",\"Version\":\"0\",\"Level\":\"3\",\"Task\":\"0\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2024-08-11T19:12:41.8598837Z\"},\"EventRecordID\":\"1051\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"3580\",\"ThreadID\":\"2036\"},\"Channel\":\"Microsoft-Windows-Windows Defender/Operational\",\"Computer\":\"DESKTOP-U2FH49E\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"Product Name\",\"text\":\"Антивирусная программа Microsoft Defender\"},{\"Name\":\"Product Version\",\"text\":\"4.18.24070.5\"},{\"Name\":\"Detection ID\",\"text\":\"{0F54C4AA-B2B9-4FA7-BE0F-ADE9E3F93620}\"},{\"Name\":\"Detection Time\",\"text\":\"2024-08-11T19:12:41.858Z\"},{\"Name\":\"Unused\"},{\"Name\":\"Unused2\"},{\"Name\":\"Threat ID\",\"text\":\"2147728776\"},{\"Name\":\"Threat Name\",\"text\":\"Behavior:Win32/BITSAbuse.As\"},{\"Name\":\"Severity ID\",\"text\":\"5\"},{\"Name\":\"Severity Name\",\"text\":\"Критический\"},{\"Name\":\"Category ID\",\"text\":\"46\"},{\"Name\":\"Category Name\",\"text\":\"Подозрительное поведение\"},{\"Name\":\"FWLink\",\"text\":\"https://go.microsoft.com/fwlink/?linkid=37020&name=Behavior:Win32/BITSAbuse.As&threatid=2147728776&enterprise=0\"},{\"Name\":\"Status Code\",\"text\":\"1\"},{\"Name\":\"Status Description\"},{\"Name\":\"State\",\"text\":\"1\"},{\"Name\":\"Source ID\",\"text\":\"0\"},{\"Name\":\"Source Name\",\"text\":\"Неизвестно\"},{\"Name\":\"Process Name\",\"text\":\"Unknown\"},{\"Name\":\"Detection User\"},{\"Name\":\"Unused3\"},{\"Name\":\"Path\",\"text\":\"behavior:_process: C:\\\\Windows\\\\System32\\\\bitsadmin.exe, pid:420:111822694772619; process:_pid:420,ProcessStart:133678771617165578\"},{\"Name\":\"Origin ID\",\"text\":\"0\"},{\"Name\":\"Origin Name\",\"text\":\"Неизвестно\"},{\"Name\":\"Execution ID\",\"text\":\"3\"},{\"Name\":\"Execution Name\",\"text\":\"Выполнение\"},{\"Name\":\"Type ID\",\"text\":\"0\"},{\"Name\":\"Type Name\",\"text\":\"Конкретный\"},{\"Name\":\"Pre Execution Status\",\"text\":\"0\"},{\"Name\":\"Action ID\",\"text\":\"9\"},{\"Name\":\"Action Name\",\"text\":\"Неприменимо\"},{\"Name\":\"Unused4\"},{\"Name\":\"Error Code\",\"text\":\"0x00000000\"},{\"Name\":\"Error Description\",\"text\":\"Операция успешно завершена.\"},{\"Name\":\"Unused5\"},{\"Name\":\"Post Clean Status\",\"text\":\"0\"},{\"Name\":\"Additional Actions ID\",\"text\":\"0\"},{\"Name\":\"Additional Actions String\",\"text\":\"No additional actions required\"},{\"Name\":\"Remediation User\"},{\"Name\":\"Unused6\"},{\"Name\":\"Security intelligence Version\",\"text\":\"AV: 1.417.66.0, AS: 1.417.66.0, NIS: 1.417.66.0\"},{\"Name\":\"Engine Version\",\"text\":\"AM: 1.1.24070.3, NIS: 1.1.24070.3\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2024-08-14T19:43:12.690Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"c428cceb-7ab0-468b-a032-5e8f5b4ad0c9"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Windows_defender_BITS_alert/tests/test_conds_1.tc b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Windows_defender_BITS_alert/tests/test_conds_1.tc new file mode 100644 index 00000000..12c62650 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_comm_and_ctrl/Windows_defender_BITS_alert/tests/test_conds_1.tc @@ -0,0 +1 @@ +expect 1 {"action":"alert","category.generic":"Attack","category.high":"Command and Control","category.low":"Ingress Tool Transfer","correlation_name":"Windows_defender_BITS_alert","correlation_type":"incident","event_src.category":"Anti-virus","event_src.host":"desktop-u2fh49e","event_src.hostname":"desktop-u2fh49e","event_src.subsys":"Microsoft-Windows-Windows Defender/Operational","event_src.title":"windows","event_src.vendor":"microsoft","importance":"medium","incident.aggregation.key":"Windows_defender_BITS_alert|desktop-u2fh49e","incident.aggregation.timeout":7200,"incident.category":"Undefined","incident.severity":"medium","object":"malware","object.name":"Trojan:Win32/BITSAbuse.AS;Behavior:Win32/BITSAbuse.As","object.path":"CmdLine:_C:\\Windows\\System32\\bitsadmin.exe /addfile 1 c:\\Users\\qwer\\1.txt c:\\users\\qwer\\qwer11.qwer1;behavior:_process: C:\\Windows\\System32\\bitsadmin.exe, pid:420:111822694772619; process:_pid:420,ProcessStart:133678771617165578","status":"success"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_persist/Start_BITS_Notifycmdline/i18n/i18n_en.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Start_BITS_Notifycmdline/i18n/i18n_en.yaml new file mode 100644 index 00000000..6313c3c0 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Start_BITS_Notifycmdline/i18n/i18n_en.yaml @@ -0,0 +1,4 @@ +Description: 'The rule detects the start of child processes from svchost.exe -k netsvcs -ps BITS' +EventDescriptions: + - LocalizationId: 'corrname_Start_BITS_Notifycmdline' + EventDescription: 'On the {event_src.host} host, the BITS service has started the process {object.process.name}, which may indicate a persistence in the system' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_persist/Start_BITS_Notifycmdline/i18n/i18n_ru.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Start_BITS_Notifycmdline/i18n/i18n_ru.yaml new file mode 100644 index 00000000..42b1329d --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Start_BITS_Notifycmdline/i18n/i18n_ru.yaml @@ -0,0 +1,4 @@ +Description: 'Правило обнаруживает запуск дочерних процессов от svchost.exe -k netsvcs -p -s BITS' +EventDescriptions: + - LocalizationId: 'corrname_Start_BITS_Notifycmdline' + EventDescription: 'На хосте {event_src.host} служба BITS запустила процесс {object.process.name}, что может свидетельствовать о закреплении в системе' diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_persist/Start_BITS_Notifycmdline/metainfo.yaml b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Start_BITS_Notifycmdline/metainfo.yaml new file mode 100644 index 00000000..b6373699 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Start_BITS_Notifycmdline/metainfo.yaml @@ -0,0 +1,28 @@ +ContentAutoName: Start_BITS_Notifycmdline +ExpertContext: + Created: 16.08.2024 + Updated: 16.08.2024 + KnowledgeHolders: + - Vadim Varganov (d3f0x0) + Usecases: + - Attacker create BITS for download or upload file, C2 + Falsepositives: + - Administrative action + References: [] + Improvements: [] + DataSources: + - Provider: Microsoft-Windows-Security-Auditing + EventID: + - 4688 + - Provider: Microsoft-Windows-Sysmon + EventID: + - 1 +ObjectId: SEC-CR-159711880 +ContentRelations: + Implements: + ATTACK: + persistence: + - T1197 +EventDescriptions: + - Criteria: correlation_name = "Start_BITS_Notifycmdline" + LocalizationId: corrname_Start_BITS_Notifycmdline diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_persist/Start_BITS_Notifycmdline/rule.co b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Start_BITS_Notifycmdline/rule.co new file mode 100644 index 00000000..f4aabb68 --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Start_BITS_Notifycmdline/rule.co @@ -0,0 +1,83 @@ +event Process_Start: + key: + event_src.host + filter { + filter::NotFromCorrelator() + and filter::ProcessStart_Windows_any() + and match(lower(object.process.parent.cmdline), "* -k netsvcs -p -s bits") + } + +rule Start_BITS_Notifycmdline: (Process_Start+) timer 5m + + on Process_Start { + $subject.account.name = subject.account.name + $subject.account.domain = subject.account.domain + $subject.account.fullname = subject.account.fullname + $subject.account.session_id = subject.account.session_id + $subject.account.id = subject.account.id + $subject.account.privileges = subject.account.privileges + + $object.account.session_id = object.account.session_id + $object.account.name = object.account.name + $object.account.domain = object.account.domain + $object.account.fullname = object.account.fullname + $object.account.id = object.account.id + + $object.process.id = object.process.id + $object.process.name = object.process.name + $object.process.path = object.process.path + $object.process.fullpath = object.process.fullpath + $object.process.hash = object.process.hash + $object.process.hash.md5 = object.process.hash.md5 + $object.process.hash.sha1 = object.process.hash.sha1 + $object.process.hash.sha256 = object.process.hash.sha256 + $object.process.version = object.process.version + $object.process.cmdline = object.process.cmdline + $object.process.guid = object.process.guid + $object.process.meta = object.process.meta + $object.process.original_name = object.process.original_name + $object.process.cwd = object.process.cwd + $object.process.chain = object.process.chain + + $object.process.parent.id = object.process.parent.id + $object.process.parent.name = object.process.parent.name + $object.process.parent.path = object.process.parent.path + $object.process.parent.fullpath = object.process.parent.fullpath + $object.process.parent.guid = object.process.parent.guid + $object.process.parent.cmdline = object.process.parent.cmdline + + $datafield6 = datafield6 # Идентификатор сессии в формате UUID + + $datafield18 = datafield18 # Цепочка процесса-субъекта с идентификаторами + $datafield19 = datafield19 # Цепочка процесса-объекта с идентификаторами + + $event_src.ip = event_src.ip + $event_src.hostname = event_src.hostname + $event_src.fqdn = event_src.fqdn + $event_src.host = event_src.host + $event_src.asset = event_src.asset + $event_src.vendor = event_src.vendor + $event_src.title = event_src.title + $event_src.subsys = event_src.subsys + $event_src.rule = event_src.rule + } + +emit { + $correlation_type = "incident" + + $subject = "account" + $action = "start" + $object = "process" + $status = "success" + + $importance = "medium" + + $category.generic = "Attack" + $category.high = "Persistence" + $category.low = "BITS Jobs" + + $incident.aggregation.key = join([$correlation_name, lower($event_src.host), lower($object.process.name)], "|") + $incident.severity = $importance + $incident.category = "Undefined" + $incident.aggregation.timeout = 2h +} diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_persist/Start_BITS_Notifycmdline/tests/raw_events_1.json b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Start_BITS_Notifycmdline/tests/raw_events_1.json new file mode 100644 index 00000000..a0adf8ac --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Start_BITS_Notifycmdline/tests/raw_events_1.json @@ -0,0 +1 @@ +{"body":"{\"Event\":{\"xmlns\":\"http://schemas.microsoft.com/win/2004/08/events/event\",\"System\":{\"Provider\":{\"Name\":\"Microsoft-Windows-Sysmon\",\"Guid\":\"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}\"},\"EventID\":\"1\",\"Version\":\"5\",\"Level\":\"4\",\"Task\":\"1\",\"Opcode\":\"0\",\"Keywords\":\"0x8000000000000000\",\"TimeCreated\":{\"SystemTime\":\"2024-08-16T13:27:15.9542108Z\"},\"EventRecordID\":\"16108456\",\"Correlation\":\"\",\"Execution\":{\"ProcessID\":\"3804\",\"ThreadID\":\"4572\"},\"Channel\":\"Microsoft-Windows-Sysmon/Operational\",\"Computer\":\"DESKTOP-U2FH49E\",\"Security\":{\"UserID\":\"S-1-5-18\"}},\"EventData\":{\"Data\":[{\"Name\":\"RuleName\",\"text\":\"-\"},{\"Name\":\"UtcTime\",\"text\":\"2024-08-16 13:27:15.953\"},{\"Name\":\"ProcessGuid\",\"text\":\"{95af35c7-53b3-66bf-df0d-000000001300}\"},{\"Name\":\"ProcessId\",\"text\":\"2744\"},{\"Name\":\"Image\",\"text\":\"C:\\\\Windows\\\\System32\\\\cmd.exe\"},{\"Name\":\"FileVersion\",\"text\":\"10.0.19041.4355 (WinBuild.160101.0800)\"},{\"Name\":\"Description\",\"text\":\"Windows Command Processor\"},{\"Name\":\"Product\",\"text\":\"Microsoft® Windows® Operating System\"},{\"Name\":\"Company\",\"text\":\"Microsoft Corporation\"},{\"Name\":\"OriginalFileName\",\"text\":\"Cmd.Exe\"},{\"Name\":\"CommandLine\",\"text\":\"\\\"c:\\\\windows\\\\system32\\\\cmd.exe\\\"\"},{\"Name\":\"CurrentDirectory\",\"text\":\"C:\\\\Windows\\\\system32\\\\\"},{\"Name\":\"User\",\"text\":\"DESKTOP-U2FH49E\\\\qwer\"},{\"Name\":\"LogonGuid\",\"text\":\"{95af35c7-8a72-66bc-5b03-0c0000000000}\"},{\"Name\":\"LogonId\",\"text\":\"0xc035b\"},{\"Name\":\"TerminalSessionId\",\"text\":\"2\"},{\"Name\":\"IntegrityLevel\",\"text\":\"Medium\"},{\"Name\":\"Hashes\",\"text\":\"SHA1=DF79C86FDD11B9CCB89148458E509F879C72566C,MD5=2B40C98ED0F7A1D3B091A3E8353132DC,SHA256=BADF4752413CB0CBDC03FB95820CA167F0CDC63B597CCDB5EF43111180E088B0,IMPHASH=272245E2988E1E430500B852C4FB5E18\"},{\"Name\":\"ParentProcessGuid\",\"text\":\"{95af35c7-5388-66bf-d30d-000000001300}\"},{\"Name\":\"ParentProcessId\",\"text\":\"992\"},{\"Name\":\"ParentImage\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\"},{\"Name\":\"ParentCommandLine\",\"text\":\"C:\\\\Windows\\\\System32\\\\svchost.exe -k netsvcs -p -s BITS\"},{\"Name\":\"ParentUser\",\"text\":\"NT AUTHORITY\\\\СИСТЕМА\"}]}}}","recv_ipv4":"127.0.0.1","recv_time":"2024-08-16T13:27:40.618Z","task_id":"00000000-0000-0000-0000-000000000000","tag":"some_tag","mime":"application/x-pt-eventlog","normalized":false,"input_id":"00000000-0000-0000-0000-000000000000","type":"raw","uuid":"9fe01d4c-0b12-4642-b729-4881b4192ec5"} \ No newline at end of file diff --git a/packages/windows_open_package/correlation_rules/mitre_attck_persist/Start_BITS_Notifycmdline/tests/test_conds_1.tc b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Start_BITS_Notifycmdline/tests/test_conds_1.tc new file mode 100644 index 00000000..0877abfd --- /dev/null +++ b/packages/windows_open_package/correlation_rules/mitre_attck_persist/Start_BITS_Notifycmdline/tests/test_conds_1.tc @@ -0,0 +1 @@ +expect 1 {"action":"start","category.generic":"Attack","category.high":"Persistence","category.low":"BITS Jobs","correlation_name":"Start_BITS_Notifycmdline","correlation_type":"incident","datafield6":"95af35c7-8a72-66bc-5b03-0c0000000000","event_src.fqdn":"desktop-u2fh49e","event_src.host":"desktop-u2fh49e","event_src.hostname":"desktop-u2fh49e","event_src.subsys":"Microsoft-Windows-Sysmon/Operational","event_src.title":"sysmon","event_src.vendor":"microsoft","importance":"medium","incident.aggregation.key":"Start_BITS_Notifycmdline|desktop-u2fh49e|cmd.exe","incident.aggregation.timeout":7200,"incident.category":"Undefined","incident.severity":"medium","object":"process","object.account.domain":"desktop-u2fh49e","object.account.id":"synthetic:qwer@desktop-u2fh49e","object.account.name":"qwer","object.account.session_id":"787291","object.process.cmdline":"\"c:\\windows\\system32\\cmd.exe\"","object.process.cwd":"C:\\Windows\\system32\\","object.process.fullpath":"c:\\windows\\system32\\cmd.exe","object.process.guid":"95af35c7-53b3-66bf-df0d-000000001300","object.process.hash.md5":"2B40C98ED0F7A1D3B091A3E8353132DC","object.process.hash.sha1":"DF79C86FDD11B9CCB89148458E509F879C72566C","object.process.hash.sha256":"BADF4752413CB0CBDC03FB95820CA167F0CDC63B597CCDB5EF43111180E088B0","object.process.id":"2744","object.process.meta":"Description:Windows Command Processor | Product:Microsoft® Windows® Operating System | Company:Microsoft Corporation","object.process.name":"cmd.exe","object.process.original_name":"Cmd.Exe","object.process.parent.cmdline":"C:\\Windows\\System32\\svchost.exe -k netsvcs -p -s BITS","object.process.parent.fullpath":"c:\\windows\\system32\\svchost.exe","object.process.parent.guid":"95af35c7-5388-66bf-d30d-000000001300","object.process.parent.id":"992","object.process.parent.name":"svchost.exe","object.process.parent.path":"c:\\windows\\system32\\","object.process.path":"c:\\windows\\system32\\","object.process.version":"10.0.19041.4355 (WinBuild.160101.0800)","status":"success","subject":"account","subject.account.domain":"nt authority","subject.account.id":"synthetic:система@nt authority","subject.account.name":"система"} \ No newline at end of file diff --git a/packages/windows_open_package/tabular_lists/BITS_process_whitelist/i18n/i18n_en.yaml b/packages/windows_open_package/tabular_lists/BITS_process_whitelist/i18n/i18n_en.yaml new file mode 100644 index 00000000..329bd2c2 --- /dev/null +++ b/packages/windows_open_package/tabular_lists/BITS_process_whitelist/i18n/i18n_en.yaml @@ -0,0 +1 @@ +Description: 'A list to exclude processes that create BITS tasks' diff --git a/packages/windows_open_package/tabular_lists/BITS_process_whitelist/i18n/i18n_ru.yaml b/packages/windows_open_package/tabular_lists/BITS_process_whitelist/i18n/i18n_ru.yaml new file mode 100644 index 00000000..be711b51 --- /dev/null +++ b/packages/windows_open_package/tabular_lists/BITS_process_whitelist/i18n/i18n_ru.yaml @@ -0,0 +1 @@ +Description: 'Список для исключения процессов, которые создают задачи BITS' diff --git a/packages/windows_open_package/tabular_lists/BITS_process_whitelist/metainfo.yaml b/packages/windows_open_package/tabular_lists/BITS_process_whitelist/metainfo.yaml new file mode 100644 index 00000000..9bb418cb --- /dev/null +++ b/packages/windows_open_package/tabular_lists/BITS_process_whitelist/metainfo.yaml @@ -0,0 +1,5 @@ +ContentAutoName: BITS_process_whitelist +ExpertContext: + Created: 13.08.2024 + Updated: 13.08.2024 +ObjectId: SEC-TL-885252941 diff --git a/packages/windows_open_package/tabular_lists/BITS_process_whitelist/table.tl b/packages/windows_open_package/tabular_lists/BITS_process_whitelist/table.tl new file mode 100644 index 00000000..be77e4d3 --- /dev/null +++ b/packages/windows_open_package/tabular_lists/BITS_process_whitelist/table.tl @@ -0,0 +1,15 @@ +type: 1 +name: BITS_process_whitelist +fillType: Registry +userCanEditContent: true +fields: + - fullpath: + type: Regex + primaryKey: true + index: true + nullable: false +defaults: + PT: + - fullpath: \\microsoft\\edge\\application\\msedge\\.exe$ + - fullpath: \\mozilla firefox\\firefox\.exe$ + - fullpath: \\appdata\\local\\microsoft\\onedrive\\[\d\.]+\\microsoft.sharepoint.exe \ No newline at end of file