botelastic[bot]
commented
3 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Description
New Rule for Pre-OS Boot: Bootkit. Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly. A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR).
This came about when in Endgame a prevent ransomware alert popped up in relation to MBR Overwrite event. However, this wasn't transmitted to Elastic Security and the Detection rules seem to miss this. The Detection rule in question "Ransomware - Prevented - Elastic Endgame".
NOTE - noted that the SOSInstallerTool.exe is the Dell SupportAssist OS Recovery Plugin for Dell Update's primary executable file. This is the example and this is was made the alert in endgame fire but wasn't put across in the elastic security detection rule.
When looking against the cool tool (ATT&CK Navigator) there doesn't seem to be any detection rules that match.
Required Info
Target indexes
endgame-*
Target Operating Systems
windows, linux
Optional Info
Perform integrity checking on MBR and VBR. Take snapshots of MBR and VBR and compare against known good samples. Report changes to MBR and VBR as they occur for indicators of suspicious activity and further analysis.
References
Pre-OS Boot: Bootkit https://attack.mitre.org/techniques/T1542/003/
Pre-OS Boot https://attack.mitre.org/techniques/T1542/