Develop Sigma rules for Privilege Escalation in Windows Environment

[yugoslavskiy]

• Research (slides): Hunting for Privilege Escalation in Windows Environment
• Author: Teymur Kheirkhabarov, @HeirhabarovT
• Type: Ready-made alerts (Kibana queries)
• Requirements: Create one Pull Request per Sigma rule

You can pick up some of the listed Kibana queries from the slides and develop Sigma rules out of them:

Page	Sigma Rule ID / Link	Topic
13	None	Stored Credentials. Files
16	None	Stored Credentials. Files/registry
20	None	Service registry permissions weakness
21	0f9c21f1-6a73-4b0e-9809-cb562cb8d981	Service registry permissions weakness
29	d937b75f-a665-4480-88a5-2f20e9f9b22a	Weak service permissions
34	None	Unquoted service path
37	None	Modifiable service binary
38	None	Modifiable service binary
43	None	Privilege escalation via weak permissions. Accesschk tool usage
48	None	Always Install Elevated
50	None	Always Install Elevated
58	8065b1b4-1778-4427-877f-6bf948b26d38	Windows Kernel and 3rd-party drivers exploits. Token stealing
61	None	Token swapping, using Mimikatz driver
67	None	Abusing debug privilege. Code injection
69	None	Abusing debug privilege. Code injection
74	None	Abusing debug privilege. Create process with arbitrary parent
85	6c5808ee-85a2-4e56-8137-72e5876a5096	Privilege escalation from Service accounts to SYSTEM
87	None	Webshell/xp_cmdshell
90	15619216-e993-4721-b590-4c520615a67d, 843544a7-56e0-4dcc-a44f-5cc266dd97d6	Meterpreter or Cobalt Strike getsystem service installation/start
95	None	Abusing impersonation + debug privileges. Tokenvator
96	None	Generic detector of token swapping
97	80167ada-7a12-41ed-b8e9-aa47195c66a1	Run whoami as SYSTEM

[diskurse]

87, 50.

[ryanplasma]

13, 16, 20

[ryanplasma]

34, 37, 38

[tas-kmanager]

43, 48, 50

I have some questions on both 48 and 50:

• Page 48 is relying on chain of 2 events (event 1 then event 2), do you think it's better if we split this into 2 rules?
• For page 50, the second event is using ParentOfParent field, which i don't think it's a default Sysmon field. Should i transform this to a rule as is or skip it?

[ryanplasma]

For 34, I don't think it will be possible to replicate the script section of the kibana query at this time using sigma and I don't think the query covers the situation completely so I'm going to skip it for now, but I'm open to feedback and suggestions if anyone has them.

[yugoslavskiy]

@tas-kmanager:

43, 48, 50

I have some questions on both 48 and 50:

• Page 48 is relying on chain of 2 events (event 1 then event 2), do you think it's better if we split this into 2 rules?
• For page 50, the second event is using ParentOfParent field, which i don't think it's a default Sysmon field. Should i transform this to a rule as is or skip it?

Page 48: make sense to create a rule for rules-unsupported, improving the current situation with lack of examples for the new sigmac converter (which is under development). You are very welcome to do that (:

For page 50: you can add enrichment field to the rule with the following parameters:

enrichment:
    - EN_0001_cache_sysmon_event_id_1_info                # http://bit.ly/314zc6x
    - EN_0002_enrich_sysmon_event_id_1_with_parent_info   # http://bit.ly/2KmSC0l

as it was done for this rule. And then it's gonna fly (:

[tas-kmanager]

Page 48: make sense to create a rule for rules-unsupported, improving the current situation with lack of examples for the new sigmac converter (which is under development). You are very welcome to do that (:

For page 50: you can add enrichment field to the rule with the following parameters:

enrichment:
    - EN_0001_cache_sysmon_event_id_1_info                # http://bit.ly/314zc6x
    - EN_0002_enrich_sysmon_event_id_1_with_parent_info   # http://bit.ly/2KmSC0l

as it was done for this rule. And then it's gonna fly (:

Thanks for the guidance I will do both of your suggestions, never created unsupported or enrichment sigma before but i will try my best! The existing examples are helpful.

Follow up question for 48. I do have a rule that looks for Windows Installer service (msiexec.exe) when it tries to install MSI packages with SYSTEM privilege, do you think i should submit this rule?

[yugoslavskiy]

Follow up question for 48. I do have a rule that looks for Windows Installer service (msiexec.exe) when it tries to install MSI packages with SYSTEM privilege, do you think i should submit this rule?

Hello @tas-kmanager! Yes, absolutely! Just make sure there is no such rule in the ruleset.

[ryanplasma]

38 seems to intend that you use it with the results of 37 - I don't believe that is something supported by sigma, but I'm open to suggestions on how to implement that rule.

[yugoslavskiy]

38 seems to intend that you use it with the results of 37 - I don't believe that is something supported by sigma, but I'm open to suggestions on how to implement that rule.

@ryanplasma Is it possible to implement with the enrichments, just like we did with here?

[frack113]

Need to be check before close	Page	Sigma Rule ID / Link	Topic
61	Not possible	Token swapping, using Mimikatz driver
67	Not possible	Abusing debug privilege. Code injection
69	Not possible	Abusing debug privilege. Code injection
74	X	Abusing debug privilege. Create process with arbitrary parent
95	Not possible	Abusing impersonation + debug privileges. Tokenvator
96	Not possible	Generic detector of token swapping

Some are Not possible because use logstash and memcached to create custom field

[MShahidImran]

why the link for SIGMA 29 isn't available?

[nasbench]

It got renamed :) If you simply search with the ID you'll find it https://github.com/SigmaHQ/sigma/blob/30979206a4741b6fc818fe6f2207715511cd050a/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml