protectionsmachine
commented
2 months ago Rule: New - Guidelines
These guidelines serve as a reminder set of considerations when proposing a new rule.
Documentation and Context
- [ ] Detailed description of the rule.
- [ ] List any new fields required in ECS/data sources.
- [ ] Link related issues or PRs.
- [ ] Include references.
Rule Metadata Checks
- [ ]
creation_datematches the date of creation PR initially merged. - [ ]
min_stack_versionshould support the widest stack versions. - [ ]
nameanddescriptionshould be descriptive and not include typos. - [ ]
queryshould be inclusive, not overly exclusive, considering performance for diverse environments. Non ecs fields should be added tonon-ecs-schema.jsonif not available in an integration. - [ ]
min_stack_commentsandmin_stack_versionshould be included if the rule is only compatible starting from a specific stack version. - [ ]
indexpattern should be neither too specific nor too vague, ensuring it accurately matches the relevant data stream (e.g., use logs-endpoint.process-* for process data). - [ ]
integrationshould align with theindex. If the integration is newly introduced, ensure the manifest, schemas, andnew_rule.yamltemplate are updated. - [ ]
setupshould include the necessary steps to configure the integration. - [ ]
noteshould include any additional information (e.g. Triage and analysis investigation guides, timeline templates). - [ ]
tagsshould be relevant to the threat and align/added to theEXPECTED_RULE_TAGSin the definitions.py file. - [ ]
threat,techniques, andsubtechniquesshould map to ATT&CK always if possible.
New BBR Rules
- [ ]
building_block_typeshould be included if the rule is a building block and the rule should be located in therules_building_blockfolder. - [ ]
bypass_bbr_timingshould be included if adding custom lookback timing to the rule.
Testing and Validation
- [ ] Provide evidence of testing and detecting the expected threat.
- [ ] Check for existence of coverage to prevent duplication.
Summary - What I changed
Identifies DACL modifications to deny access to a service, making it unstoppable, or hide it from system and users.
Sample data
``` { "_index": ".ds-logs-endpoint.events.process-default-2024.07.12-000026", "_id": "QXEPvJABiLqpmBCYFrUr", "_score": 1, "_source": { "agent": { "id": "c725ae87-e846-4602-9a08-2c717a3a504b", "type": "endpoint", "version": "8.14.2" }, "process": { "Ext": { "mitigation_policies": [ "CF Guard" ], "ancestry": [ "YzcyNWFlODctZTg0Ni00NjAyLTlhMDgtMmM3MTdhM2E1MDRiLTEwOTM2LTE3MjExMzMwMDguMjYxNDAzNDAw", "YzcyNWFlODctZTg0Ni00NjAyLTlhMDgtMmM3MTdhM2E1MDRiLTc5NDgtMTcyMTA4NjkwOC40MTUxODIxMDA=", "YzcyNWFlODctZTg0Ni00NjAyLTlhMDgtMmM3MTdhM2E1MDRiLTQ4ODgtMTcyMTA4NjkwOC4zMjEzNDQ5MDA=", "YzcyNWFlODctZTg0Ni00NjAyLTlhMDgtMmM3MTdhM2E1MDRiLTY5Mi0xNzIxMDg1MjE4LjMwNjkxMTYwMA==" ], "code_signature": [ { "trusted": true, "subject_name": "Microsoft Windows", "exists": true, "status": "trusted" } ], "session_info": { "authentication_package": "Kerberos", "relative_password_age": 516971.2548956, "user_flags": [ "LOGON_EXTRA_SIDS" ], "relative_logon_time": 55100.2683438, "id": 1, "logon_type": "Interactive" }, "relative_file_creation_time": 184146443.7766875, "authentication_id": "0x1c7b1b", "relative_file_name_modify_time": 100319014.6686186, "token": { "integrity_level_name": "high", "security_attributes": [ "TSA://ProcUnique" ], "elevation_level": "full" } }, "parent": { "Ext": { "code_signature": [ { "trusted": true, "subject_name": "Microsoft Windows", "exists": true, "status": "trusted" } ] }, "args": [ "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" ], "code_signature": { "trusted": true, "subject_name": "Microsoft Windows", "exists": true, "status": "trusted" }, "name": "powershell.exe", "pid": 10936, "args_count": 1, "thread": { "Ext": { "call_stack_summary": "ntdll.dll|kernelbase.dll|kernel32.dll|system.ni.dll|system.management.automation.ni.dll|Unbacked", "call_stack_contains_unbacked": true, "call_stack": [ { "symbol_info": "C:\\Windows\\System32\\ntdll.dll!ZwCreateUserProcess+0x14" }, { "symbol_info": "C:\\Windows\\System32\\KernelBase.dll!CreateProcessInternalW+0x1f12" }, { "symbol_info": "C:\\Windows\\System32\\KernelBase.dll!CreateProcessW+0x66" }, { "symbol_info": "C:\\Windows\\System32\\kernel32.dll!CreateProcessW+0x53" }, { "symbol_info": "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\b7dad15c7fa4f8dd061acea449ad23d0\\System.ni.dll+0x334376" }, { "symbol_info": "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\b7dad15c7fa4f8dd061acea449ad23d0\\System.ni.dll+0x2b65a0" }, { "symbol_info": "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\b7dad15c7fa4f8dd061acea449ad23d0\\System.ni.dll+0x2b5f47" }, { "symbol_info": "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Manaa57fc8cc#\\08dd192fa957d67f0981eb627a871369\\System.Management.Automation.ni.dll+0x100769b" }, { "symbol_info": "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Manaa57fc8cc#\\08dd192fa957d67f0981eb627a871369\\System.Management.Automation.ni.dll+0xf29bfd" }, { "symbol_info": "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Manaa57fc8cc#\\08dd192fa957d67f0981eb627a871369\\System.Management.Automation.ni.dll+0xfcd15e" }, { "symbol_info": "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Manaa57fc8cc#\\08dd192fa957d67f0981eb627a871369\\System.Management.Automation.ni.dll+0xfcce3b" }, { "symbol_info": "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Manaa57fc8cc#\\08dd192fa957d67f0981eb627a871369\\System.Management.Automation.ni.dll+0x1096044" }, { "symbol_info": "Unbacked+0x3211", "callsite_trailing_bytes": "834648fab8010000004883c4685b5d5e5f415c415d415e415fc3e8602e935fcc0000001910090010c20c300b500a60097008c006d004e002f000004000000000", "protection": "RWX", "callsite_leading_bytes": "2428f6c1017404488b49ffe8ff195c5f4889442430498bd5448b44245c4c8b4c2448488b6c244048896c2420488b6c243848896c2428488d4b08488b09ff5318" } ] } }, "entity_id": "YzcyNWFlODctZTg0Ni00NjAyLTlhMDgtMmM3MTdhM2E1MDRiLTEwOTM2LTE3MjExMzMwMDguMjYxNDAzNDAw", "command_line": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" ", "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" }, "pid": 3724, "working_directory": "C:\\Users\\robert.baratheon\\Desktop\\", "entity_id": "YzcyNWFlODctZTg0Ni00NjAyLTlhMDgtMmM3MTdhM2E1MDRiLTM3MjQtMTcyMTE0MjAwNi42Mzk3MjQ1MDA=", "executable": "C:\\Windows\\System32\\sc.exe", "args": [ "C:\\Windows\\system32\\sc.exe", "sdset", "dummyservice", "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" ], "code_signature": { "trusted": true, "subject_name": "Microsoft Windows", "exists": true, "status": "trusted" }, "pe": { "imphash": "35a7ffde18d444a92d32c8b2879450ff", "original_file_name": "sc.exe" }, "name": "sc.exe", "args_count": 4, "command_line": "\"C:\\Windows\\system32\\sc.exe\" sdset dummyservice D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)", "hash": { "sha1": "622fa2729408e5f467a592223219da7c547e7cc7", "sha256": "78097c7cd0e57902536c60b7fa17528c313db20869e5f944223a0ba4c801d39b", "md5": "abb56882148de65d53abfc55544a49a8" } }, "@timestamp": "2024-07-16T15:00:06.6397245Z", "ecs": { "version": "8.10.0" }, "data_stream": { "namespace": "default", "type": "logs", "dataset": "endpoint.events.process" }, "elastic": { "agent": { "id": "c725ae87-e846-4602-9a08-2c717a3a504b" } }, "host": { "hostname": "kingslanding", "os": { "Ext": { "variant": "Windows Server 2019 Datacenter Evaluation" }, "kernel": "1809 (10.0.17763.6054)", "name": "Windows", "family": "windows", "type": "windows", "version": "1809 (10.0.17763.6054)", "platform": "windows", "full": "Windows Server 2019 Datacenter Evaluation 1809 (10.0.17763.6054)" }, "domain": "sevenkingdoms.local", "ip": [ "192.168.56.10", "192.168.133.195", "127.0.0.1", "::1" ], "name": "kingslanding", "id": "bb11c0d0-189a-4fad-aa85-e71a5b6c7ed9", "mac": [ "00-0c-29-f8-cf-09", "00-0c-29-f8-cf-ff" ], "architecture": "x86_64" }, "event": { "agent_id_status": "verified", "sequence": 1092460, "ingested": "2024-07-16T15:00:23Z", "created": "2024-07-16T15:00:06.6397245Z", "kind": "event", "module": "endpoint", "action": "start", "id": "NdKiAMCzNm3kRfxN++++ZGfE", "category": [ "process" ], "type": [ "start" ], "dataset": "endpoint.events.process", "outcome": "unknown" }, "message": "Endpoint process event", "user": { "domain": "SEVENKINGDOMS", "name": "robert.baratheon", "id": "S-1-5-21-3715621034-4113696668-281506975-1117" } }, "fields": { "process.hash.md5": [ "abb56882148de65d53abfc55544a49a8" ], "host.os.full.text": [ "Windows Server 2019 Datacenter Evaluation 1809 (10.0.17763.6054)" ], "process.command_line.caseless": [ "\"c:\\windows\\system32\\sc.exe\" sdset dummyservice d:(d;;dclcwpdtsd;;;iu)(d;;dclcwpdtsd;;;su)(d;;dclcwpdtsd;;;ba)(a;;cclcswlocrrc;;;iu)(a;;cclcswlocrrc;;;su)(a;;cclcswrpwpdtlocrrc;;;sy)(a;;ccdclcswrpwpdtlocrsdrcwdwo;;;ba)s:(au;fa;ccdclcswrpwpdtlocrsdrcwdwo;;;wd)" ], "event.category": [ "process" ], "host.os.name.text": [ "Windows" ], "process.parent.command_line": [ "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" " ], "process.parent.name": [ "powershell.exe" ], "process.hash.sha256": [ "78097c7cd0e57902536c60b7fa17528c313db20869e5f944223a0ba4c801d39b" ], "process.parent.pid": [ 10936 ], "host.hostname": [ "kingslanding" ], "host.mac": [ "00-0c-29-f8-cf-09", "00-0c-29-f8-cf-ff" ], "process.code_signature.exists": [ true ], "elastic.agent.id": [ "c725ae87-e846-4602-9a08-2c717a3a504b" ], "host.domain": [ "sevenkingdoms.local" ], "host.os.version": [ "1809 (10.0.17763.6054)" ], "event.agent_id_status": [ "verified" ], "event.outcome": [ "unknown" ], "host.os.type": [ "windows" ], "user.id": [ "S-1-5-21-3715621034-4113696668-281506975-1117" ], "process.Ext.ancestry": [ "YzcyNWFlODctZTg0Ni00NjAyLTlhMDgtMmM3MTdhM2E1MDRiLTEwOTM2LTE3MjExMzMwMDguMjYxNDAzNDAw", "YzcyNWFlODctZTg0Ni00NjAyLTlhMDgtMmM3MTdhM2E1MDRiLTc5NDgtMTcyMTA4NjkwOC40MTUxODIxMDA=", "YzcyNWFlODctZTg0Ni00NjAyLTlhMDgtMmM3MTdhM2E1MDRiLTQ4ODgtMTcyMTA4NjkwOC4zMjEzNDQ5MDA=", "YzcyNWFlODctZTg0Ni00NjAyLTlhMDgtMmM3MTdhM2E1MDRiLTY5Mi0xNzIxMDg1MjE4LjMwNjkxMTYwMA==" ], "host.architecture": [ "x86_64" ], "agent.id": [ "c725ae87-e846-4602-9a08-2c717a3a504b" ], "process.parent.code_signature.trusted": [ true ], "process.command_line.text": [ "\"C:\\Windows\\system32\\sc.exe\" sdset dummyservice D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" ], "process.Ext.relative_file_creation_time": [ 184146443.7766875 ], "process.parent.thread.Ext.call_stack_contains_unbacked": [ true ], "user.name": [ "robert.baratheon" ], "process.working_directory": [ "C:\\Users\\robert.baratheon\\Desktop\\" ], "process.entity_id": [ "YzcyNWFlODctZTg0Ni00NjAyLTlhMDgtMmM3MTdhM2E1MDRiLTM3MjQtMTcyMTE0MjAwNi42Mzk3MjQ1MDA=" ], "process.parent.code_signature.status": [ "trusted" ], "host.ip": [ "192.168.56.10", "192.168.133.195", "127.0.0.1", "::1" ], "process.executable.caseless": [ "c:\\windows\\system32\\sc.exe" ], "agent.type": [ "endpoint" ], "process.pe.original_file_name": [ "sc.exe" ], "process.executable.text": [ "C:\\Windows\\System32\\sc.exe" ], "process.parent.thread.Ext.call_stack.protection": [ "RWX" ], "user.domain": [ "SEVENKINGDOMS" ], "host.id": [ "bb11c0d0-189a-4fad-aa85-e71a5b6c7ed9" ], "process.name.caseless": [ "sc.exe" ], "process.Ext.token.integrity_level_name": [ "high" ], "process.parent.name.caseless": [ "powershell.exe" ], "process.working_directory.text": [ "C:\\Users\\robert.baratheon\\Desktop\\" ], "process.Ext.session_info.user_flags": [ "LOGON_EXTRA_SIDS" ], "process.code_signature.status": [ "trusted" ], "host.os.Ext.variant": [ "Windows Server 2019 Datacenter Evaluation" ], "event.action": [ "start" ], "event.ingested": [ "2024-07-16T15:00:23Z" ], "@timestamp": [ "2024-07-16T15:00:06.639Z" ], "host.os.platform": [ "windows" ], "process.parent.command_line.caseless": [ "\"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe\" " ], "data_stream.dataset": [ "endpoint.events.process" ], "process.Ext.code_signature": [ { "trusted": [ true ], "subject_name": [ "Microsoft Windows" ], "exists": [ true ], "status": [ "trusted" ] } ], "process.hash.sha1": [ "622fa2729408e5f467a592223219da7c547e7cc7" ], "event.id": [ "NdKiAMCzNm3kRfxN++++ZGfE" ], "host.os.name.caseless": [ "windows" ], "process.parent.thread.Ext.call_stack.symbol_info": [ "C:\\Windows\\System32\\ntdll.dll!ZwCreateUserProcess+0x14", "C:\\Windows\\System32\\KernelBase.dll!CreateProcessInternalW+0x1f12", "C:\\Windows\\System32\\KernelBase.dll!CreateProcessW+0x66", "C:\\Windows\\System32\\kernel32.dll!CreateProcessW+0x53", "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\b7dad15c7fa4f8dd061acea449ad23d0\\System.ni.dll+0x334376", "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\b7dad15c7fa4f8dd061acea449ad23d0\\System.ni.dll+0x2b65a0", "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\b7dad15c7fa4f8dd061acea449ad23d0\\System.ni.dll+0x2b5f47", "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Manaa57fc8cc#\\08dd192fa957d67f0981eb627a871369\\System.Management.Automation.ni.dll+0x100769b", "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Manaa57fc8cc#\\08dd192fa957d67f0981eb627a871369\\System.Management.Automation.ni.dll+0xf29bfd", "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Manaa57fc8cc#\\08dd192fa957d67f0981eb627a871369\\System.Management.Automation.ni.dll+0xfcd15e", "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Manaa57fc8cc#\\08dd192fa957d67f0981eb627a871369\\System.Management.Automation.ni.dll+0xfcce3b", "C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Manaa57fc8cc#\\08dd192fa957d67f0981eb627a871369\\System.Management.Automation.ni.dll+0x1096044", "Unbacked+0x3211" ], "user.name.text": [ "robert.baratheon" ], "process.Ext.session_info.authentication_package": [ "Kerberos" ], "process.name.text": [ "sc.exe" ], "host.os.full": [ "Windows Server 2019 Datacenter Evaluation 1809 (10.0.17763.6054)" ], "process.parent.thread.Ext.call_stack.callsite_leading_bytes": [ "2428f6c1017404488b49ffe8ff195c5f4889442430498bd5448b44245c4c8b4c2448488b6c244048896c2420488b6c243848896c2428488d4b08488b09ff5318" ], "process.pid": [ 3724 ], "process.code_signature.subject_name": [ "Microsoft Windows" ], "process.parent.entity_id": [ "YzcyNWFlODctZTg0Ni00NjAyLTlhMDgtMmM3MTdhM2E1MDRiLTEwOTM2LTE3MjExMzMwMDguMjYxNDAzNDAw" ], "host.os.name": [ "Windows" ], "host.name": [ "kingslanding" ], "event.kind": [ "event" ], "process.parent.thread.Ext.call_stack.callsite_trailing_bytes": [ "834648fab8010000004883c4685b5d5e5f415c415d415e415fc3e8602e935fcc0000001910090010c20c300b500a60097008c006d004e002f000004000000000" ], "process.code_signature.trusted": [ true ], "process.Ext.session_info.relative_logon_time": [ 55100.2683438 ], "process.Ext.session_info.relative_password_age": [ 516971.2548956 ], "process.parent.thread.Ext.call_stack_summary": [ "ntdll.dll|kernelbase.dll|kernel32.dll|system.ni.dll|system.management.automation.ni.dll|Unbacked" ], "data_stream.type": [ "logs" ], "process.parent.args_count": [ 1 ], "process.Ext.token.security_attributes": [ "TSA://ProcUnique" ], "process.name": [ "sc.exe" ], "ecs.version": [ "8.10.0" ], "process.parent.executable.text": [ "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" ], "event.created": [ "2024-07-16T15:00:06.639Z" ], "agent.version": [ "8.14.2" ], "host.os.family": [ "windows" ], "process.Ext.session_info.id": [ 1 ], "process.Ext.mitigation_policies": [ "CF Guard" ], "process.parent.code_signature.exists": [ true ], "process.parent.name.text": [ "powershell.exe" ], "event.sequence": [ 1092460 ], "event.module": [ "endpoint" ], "host.os.kernel": [ "1809 (10.0.17763.6054)" ], "process.Ext.relative_file_name_modify_time": [ 100319014.6686186 ], "host.os.full.caseless": [ "windows server 2019 datacenter evaluation 1809 (10.0.17763.6054)" ], "process.executable": [ "C:\\Windows\\System32\\sc.exe" ], "process.parent.code_signature.subject_name": [ "Microsoft Windows" ], "process.parent.executable.caseless": [ "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe" ], "process.parent.executable": [ "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" ], "process.working_directory.caseless": [ "c:\\users\\robert.baratheon\\desktop\\" ], "process.parent.command_line.text": [ "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" " ], "process.args_count": [ 4 ], "data_stream.namespace": [ "default" ], "process.parent.Ext.code_signature": [ { "trusted": [ true ], "subject_name": [ "Microsoft Windows" ], "exists": [ true ], "status": [ "trusted" ] } ], "process.args": [ "C:\\Windows\\system32\\sc.exe", "sdset", "dummyservice", "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" ], "message": [ "Endpoint process event" ], "process.Ext.authentication_id": [ "0x1c7b1b" ], "process.Ext.token.elevation_level": [ "full" ], "process.parent.args": [ "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" ], "process.pe.imphash": [ "35a7ffde18d444a92d32c8b2879450ff" ], "event.type": [ "start" ], "process.command_line": [ "\"C:\\Windows\\system32\\sc.exe\" sdset dummyservice D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" ], "process.Ext.session_info.logon_type": [ "Interactive" ], "event.dataset": [ "endpoint.events.process" ] } } ```