search

elastic / detection-rules

https://www.elastic.co/guide/en/security/current/detection-engine-overview.html
Other
1.95k stars 497 forks source link

[New Rule] Suspicious WMI Module Load #1526

Closed DefSecSentinel closed 2 years ago

DefSecSentinel commented 3 years ago

Description

Threat actors can utilize WMI modules to execute WMI commands that bypass monitoring for traditional WMI activity (e.g wmiprvse.exe or wmiapsrv.exe).

Required Info

Target indexes

logs-, winlogbeat-\

Additional requirements

Target Operating Systems

windows

Platforms

Tested ECS Version

7.15.0

Optional Info

Query

library where dll.name : ("WMINET_Utils.dll", "wbemsvc.dll", "fastprox.dll", "wbemcomn.dll", "wmiutils.dll", "wmiprov.dll", "WmiApRpl.dll", "wmicInt.dll", "wbemprox.dll") and not 
process.name : ("wmiprvse.exe", "wmiapsrv.exe", "svchost.exe", "SIHClient.exe", "ngentask.exe", "CompatTelRunner.exe", "taskhostw.exe", "MpCmdRun.exe", "WMIADAP.exe", "sdiagnhost.exe", "tasklist.exe", "wmic.exe", "powershell.exe", "pwsh.exe", "cmd.exe", "TiWorker.exe", "MRT.exe", "choco.exe")

New fields required in ECS/data sources for this rule?

Related issues or PRs

References

https://attack.mitre.org/techniques/T1047/

https://attack.mitre.org/techniques/T1518/

Example Data

  "data_stream": {
    "dataset": "endpoint.events.library",
    "namespace": "default",
    "type": "logs"
  },
  "dll": {
    "code_signature": {
      "exists": "true",
      "status": "trusted",
      "subject_name": "Microsoft Windows",
      "trusted": "true"
    },
    "Ext": {
      "code_signature": "{\"trusted\":true,\"subject_name\":\"Microsoft Windows\",\"exists\":true,\"status\":\"trusted\"}",
      "load_index": "1"
    },
    "hash": {
      "md5": "3a1a5efa7d0c56dc75e1680002894936",
      "sha1": "1817affe0fcdb9f290404b7f92ca8f0a45d16718",
      "sha256": "5da409f81810bc0cf9419a7f67d61db00c63275e118c29528da73d315b191654"
    },
    "name": "fastprox.dll",
    "path": "C:\\Windows\\System32\\wbem\\fastprox.dll",
    "pe": {
      "file_version": "10.0.19041.546 (WinBuild.160101.0800)",
      "imphash": "d289f182a8b57c923bdb629966c00369",
      "original_file_name": "fastprox.dll"
    }
  },
  "ecs": {
    "version": "1.11.0"
  },
  "event": {
    "action": "load",
    "agent_id_status": "verified",
    "category": "library",
    "created": "2021-10-04T20:20:32.664Z",
    "dataset": "endpoint.events.library",
    "id": "MJ6MQRQzFlcoZOj9+++++LVb",
    "ingested": "2021-10-04T20:21:02.000Z",
    "kind": "event",
    "module": "endpoint",
    "sequence": "51309",
    "type": "start"
  },
  },
  "message": "Endpoint DLL load event",
  "process": {
    "entity_id": "YjlmYmQwYzYtMzFjMi00OWQyLTk1MmYtY2NkZDlkY2E4OTc3LTI3NTYtMTMyNzc4NTI0MzEuNzg4MDA3OTAw",
    "executable": "C:\\Users\\vagrant\\Downloads\\Seatbelt.exe",
    "Ext": {
      "ancestry": "YjlmYmQwYzYtMzFjMi00OWQyLTk1MmYtY2NkZDlkY2E4OTc3LTIwMjAtMTMyNzc4NTIzNzkuOTQwNDYyMDA=,YjlmYmQwYzYtMzFjMi00OWQyLTk1MmYtY2NkZDlkY2E4OTc3LTU5NDgtMTMyNzcyNDM3NjUuNTcwNjM3MDAw,YjlmYmQwYzYtMzFjMi00OWQyLTk1MmYtY2NkZDlkY2E4OTc3LTU5MTYtMTMyNzcyNDM3NjUuNTM4OTc5MDAw,YjlmYmQwYzYtMzFjMi00OWQyLTk1MmYtY2NkZDlkY2E4OTc3LTM5MDQtMTMyNzcyNDM3NjIuNTc5ODUwODAw"
    },
    "name": "Seatbelt.exe",
    "pid": "2756"
  },
  "user": {
    "domain": "WINDOWS10",
    "id": "S-1-5-21-2010172997-3706935026-3061584476-1000",
    "name": "vagrant"
  }
}
botelastic[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic[bot] commented 2 years ago

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.