mthcht commented 7 months ago

HarfangLab

Description

Please provide the below information so we can validate before merging:

Does the proposed EDR feature align with our definition of telemetry?(definition here): yes
Could you please provide documentation to support the telemetry you are proposing?(If it is held privately, please reach out to me or @inodee): no documentation (log analysis on SIEM only)
If no documentation is available for all the categories you are proposing, could you provide screenshots or sanitized logs?

sanitized logs samples:

Process Creation

alert_subtype=process alert_type=sigma log_type=alert
signature="Discovery: Ipconfig"

{"status":"new","aggregation_key":"6467ceaead090eq21fec43adf424d894a2a0585e14e1d2c31230e1cbec7a044e","@event_create_date":"2023-11-13T09:57:17.894Z","@version":"1","rule_id":"dc40e7d9-a996-45bf-a2ae-f8caf1816852","alert_type":"sigma","mitre_cells":["discovery__t1016"],"detection_origin":"backend","tenant":"","process":{"logonid":1263758,"parent_commandline":"C:\\windows\\system32\\cmd.exe","parent_integrity_level":"Medium","error_msg":"","status":0,"parent_image":"C:\\Windows\\System32\\cmd.exe","parent_unique_id":"007f1dc4-53d2-4074-7198-0074c814d431","process_name":"ipconfig.exe","fake_ppid":null,"fake_parent_commandline":null,"hashes":{"sha1":"d9bbb4e4900ff03b0486fac32768170249dad82d","md5":"62f170fb07fdbb79ceb7147101406eb8","sha256":"53e000f5aa9b3a00934319db8080bb99cb323bf48fc628a64f75d7847c265606"},"pe_info":{"file_description":"IP Configuration Utility","file_version":"10.0.19041.1 (WinBuild.160101.0800)","original_filename":"ipconfig.exe","company_name":"Microsoft Corporation","internal_name":"ipconfig.exe","legal_copyright":"© Microsoft Corporation. All rights reserved.","product_name":"Microsoft® Windows® Operating System","product_version":"10.0.19041.1"},"log_platform_flag":0,"pe_timestamp":"2021-01-14T15:04:03.000Z","usersid":"S-1-5-21-4002062625-134300628-1539286463-1264","create_time":"2023-11-13T09:40:07.644Z","fake_parent_image":null,"status_msg":"","fake_parent_unique_id":null,"pe_imphash":"1002D523645A81BC52877D82D9E88417","signature_info":{"signed_catalog":true,"signed_authenticode":false,"signer_info":{"thumbprint":"8870483e0e833965a53f422494f1614f79286851","serial_number":"33000004158295a1a3d82e2857000000000415","display_name":"Microsoft Windows","issuer_name":"Microsoft Windows Production PCA 2011","thumbprint_sha256":"2724aeb0c497bf5fd732958120d1ae3341cfd252ab1680de03d10503abc666c1"},"root_info":{"thumbprint":"3b1efd3a66ea28b16697394703a72ca340a05bd5","serial_number":"28cc3a25bfba44ac449a9b586b4339aa","display_name":"Microsoft Root Certificate Authority 2010","issuer_name":"Microsoft Root Certificate Authority 2010","thumbprint_sha256":"df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e"}},"process_unique_id":"008f1cc4-53d1-4074-59ac-000e11b0bb62","commandline":"ipconfig /all","username":"LAN\\mthcht","ppid":24984,"log_type":"process","integrity_level":"Medium","size":35840,"image_name":"C:\\Windows\\System32\\ipconfig.exe","pe_timestamp_int":1610636643,"current_directory":"C:\\Users\\mthcht","signed":true,"pid":22946,"session":1},"level":"low","maturity":"stable","msg":"Detects the execution of ipconfig.exe, a tool often used by attackers to gather detailed information about a computer's network interfaces.","alert_unique_id":"839d24e3-048c-4baa-b56a-9454712d63f0","alert_subtype":"process","rule_name":"Discovery: Ipconfig","execution":0,"tags":["attack.discovery","attack.t1016","attack.s0100"],"@timestamp":"2023-11-13T09:57:18.000Z","log_type":"alert","alert_time":"2023-11-13T09:57:17.894+00:00","type":"rtlogs","agent":{"osversion":"10.0.19041","agentid":"6ca26c2d-43d1-4074-a5a9-b3c2b89fb386","domain":null,"distroid":null,"hostname":"mthcht-lab","osproducttype":"Windows 10 Enterprise","version":"2.19.6","domainname":"LAN","ostype":"windows"}}

Process Access

alert_subtype=process alert_type=sigma log_type=alert
signature="LSASS process memory access from unknown module"

{"status":"new","aggregation_key":"3f37ffb4a649a4e48af8c29a78bb1a3a14c46fa25bf62cc96b7c507f9ae60f89","@event_create_date":"2023-11-13T08:32:58.618Z","@version":"1","rule_id":"8037d4ce-f3fb-4137-b9f3-e9fa755cebg2","alert_type":"sigma","mitre_cells":["credential-access__t1003.001"],"detection_origin":"agent","tenant":"","process":{"logonid":999,"parent_commandline":"C:\\windows\\system32\\services.exe","parent_integrity_level":"System","error_msg":"","status":0,"parent_image":"C:\\Windows\\System32\\services.exe","grandparent_commandline":"wininit.exe","parent_unique_id":"2123ba73-e634-418b-0008-004f636fb722","process_name":"nossvc.exe","fake_ppid":null,"fake_parent_commandline":null,"hashes":{"sha1":"34fe7649095939a805eb5a003d3533e3967a1873","md5":"74d2e9e275e80b53e9e414d0c70ee33f","sha256":"db4e6127ec056c1845c53c7f64a308d2277b6c6dfefc67fddb5a18aa1a25180d"},"pe_info":{"file_description":"nProtect Online Security Service","file_version":"2022, 7, 20, 1","original_filename":"nossvc.exe","company_name":"INCA Internet Co., Ltd.","internal_name":"nossvc.exe","legal_copyright":"Copyright (C) INCA Internet.","product_name":"nossvc","product_version":"2022, 7, 20, 1"},"log_platform_flag":0,"pe_timestamp":"2022-07-20T08:51:05.000Z","usersid":"S-1-5-18","create_time":"2023-11-13T08:31:01.489Z","fake_parent_image":null,"status_msg":"sigma match detected this process but not configured to block it","fake_parent_unique_id":null,"pe_imphash":"BAA93D47220682C04D92F7797D9224CE","signature_info":{"signed_catalog":false,"signed_authenticode":true,"signer_info":{"thumbprint":"bf937a854314ccb594129182108b53bed19c7e10","serial_number":"02d81fb6aed0e17c88e2a58909eb7269","display_name":"INCA Internet Co.,Ltd.","issuer_name":"DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1","thumbprint_sha256":"4e171e7d95b67df391c4e126e0f214ac2637b9dd346b03ace892fca189124769"},"root_info":{"thumbprint":"ddfb16cd4931c973a2037d3fc83a4d7d775d05e4","serial_number":"059b1b579e8e2132e23907bda777755c","display_name":"DigiCert Trusted Root G4","issuer_name":"DigiCert Trusted Root G4","thumbprint_sha256":"552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988"}},"process_unique_id":"2322ba76-e649-41cb-1760-00b36c83e3cd","grandparent_image":"C:\\Windows\\System32\\wininit.exe","dont_create_process":true,"commandline":"C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\nossvc.exe /SVC","username":"NT AUTHORITY\\SYSTEM","ppid":8,"log_type":"process","integrity_level":"System","grandparent_integrity_level":"System","size":1821560,"image_name":"C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\nossvc.exe","pe_timestamp_int":1658307065,"current_directory":null,"signed":true,"pid":6240,"session":0},"level":"critical","maturity":"stable","msg":"Detects an attempt to open LSASS.exe process memory with read permissions from an unknown module.\n This is likely done when LSASS is accessed from an injected process.","alert_unique_id":"2d2fc143-fbc6-47a5-afc4-364c8430feb3","alert_subtype":"process","rule_name":"LSASS process memory access from unknown module","execution":0,"tags":["attack.credential_access","attack.t1003.001","attack.t1078"],"details_process_access":{"CallTrace":"C:\\Windows\\System32\\ntdll.dll+9d4a4|C:\\Windows\\System32\\wow64.dll+10a15|C:\\Windows\\System32\\wow64.dll+90da|C:\\Windows\\System32\\wow64cpu.dll+17c3|C:\\Windows\\System32\\wow64cpu.dll+11b9|C:\\Windows\\System32\\wow64.dll+3989|C:\\Windows\\System32\\wow64.dll+337d|C:\\Windows\\System32\\ntdll.dll+75059|C:\\Windows\\System32\\ntdll.dll+74c43|C:\\Windows\\System32\\ntdll.dll+74bee|C:\\Windows\\SysWOW64\\ntdll.dll+72e0c|C:\\Windows\\SysWOW64\\KernelBase.dll+117478|C:\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\nossvc.exe+1715|UNKNOWN(00000000048b0048)","TargetProcessId":732,"TargetProcessGUID":"2323ba64-e638-42cb-02dc-0010d8997f93","GrantedAccessStr":"PROCESS_QUERY_LIMITED_INFORMATION|PROCESS_VM_READ","GrantedAccess":"0x1010","TargetImage":"C:\\Windows\\System32\\lsass.exe","target_process":{"logonid":999,"parent_commandline":"wininit.exe","parent_integrity_level":"System","error_msg":"","status":0,"parent_image":"C:\\Windows\\System32\\wininit.exe","grandparent_commandline":null,"parent_unique_id":"2324ba74-e699-42cb-03e0-00b5f95c7678","process_name":"lsass.exe","signature":"Microsoft Windows Publisher","fake_ppid":null,"fake_parent_commandline":null,"hashes":{"sha1":"2292498eaf2dad254a3c18cc3e1355c03be167f2","md5":"b4de3d04ae3c71e67236b841beadeb74","sha256":"8567cdba80952b2b7af647b9d2630fe12b73e87517498bccdcc27ec1ed6e1545"},"pe_info":{"file_description":"Local Security Authority Process","file_version":"10.0.19041.3570 (WinBuild.160101.0800)","original_filename":"lsass.exe","company_name":"Microsoft Corporation","internal_name":"lsass.exe","legal_copyright":"© Microsoft Corporation. All rights reserved.","product_name":"Microsoft® Windows® Operating System","product_version":"10.0.19041.3570"},"signature_status":"Valid","pe_timestamp":"2009-09-12 01:49:51.000","usersid":"S-1-5-18","create_time":"2023/11/13 08:30:55.622042","fake_parent_image":null,"status_msg":"","fake_parent_unique_id":null,"pe_imphash":"3924D1606F44D90586A3EC75785C2730","signature_info":{"signed_catalog":false,"signed_authenticode":true,"signer_info":{"thumbprint":"09bd21d33cbe3cdd99f0bd85f1c0f16eab84bdaf","serial_number":"3300000451990a2a60f6356760000000000451","display_name":"Microsoft Windows Publisher","issuer_name":"Microsoft Windows Production PCA 2011","thumbprint_sha256":"9d0afd14479842055c57386a4daf53d430d86fee2acb5d5d7ecd01a0b0fc766f"},"root_info":{"thumbprint":"3b1efd3a66ea28b16697394703a72ca340a05bd5","serial_number":"28cc3a25bfba44ac449a9b586b4339aa","display_name":"Microsoft Root Certificate Authority 2010","issuer_name":"Microsoft Root Certificate Authority 2010","thumbprint_sha256":"df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e"}},"process_unique_id":"2323ba74-e639-41cb-02dc-0010d8497f93","grandparent_image":null,"commandline":"C:\\windows\\system32\\lsass.exe","username":"NT AUTHORITY\\SYSTEM","ppid":992,"integrity_level":"System","grandparent_integrity_level":null,"size":60640,"image_name":"C:\\Windows\\System32\\lsass.exe","pe_timestamp_int":1252720191,"current_directory":"C:\\windows\\system32","signed":"true","pid":732,"session":0},"RawCallTrace":[["140722866017444","140722865373184","\\Device\\HarddiskVolume3\\Windows\\System32\\ntdll.dll"],["140722836212245","140722836144128","\\Device\\HarddiskVolume3\\Windows\\System32\\wow64.dll"],["140722836181210","140722836144128","\\Device\\HarddiskVolume3\\Windows\\System32\\wow64.dll"],["2002065347","2002059264","\\Device\\HarddiskVolume3\\Windows\\System32\\wow64cpu.dll"],["2002063801","2002059264","\\Device\\HarddiskVolume3\\Windows\\System32\\wow64cpu.dll"],["140722836158857","140722836144128","\\Device\\HarddiskVolume3\\Windows\\System32\\wow64.dll"],["140722836157309","140722836144128","\\Device\\HarddiskVolume3\\Windows\\System32\\wow64.dll"],["140722865852505","140722865373184","\\Device\\HarddiskVolume3\\Windows\\System32\\ntdll.dll"],["140722865851459","140722865373184","\\Device\\HarddiskVolume3\\Windows\\System32\\ntdll.dll"],["140722865851374","140722865373184","\\Device\\HarddiskVolume3\\Windows\\System32\\ntdll.dll"],["2002595340","2002124800","\\Device\\HarddiskVolume3\\Windows\\SysWOW64\\ntdll.dll"],["1968272504","1967128576","\\Device\\HarddiskVolume3\\Windows\\SysWOW64\\KernelBase.dll"],["4200213","4194304","\\Device\\HarddiskVolume3\\Program Files (x86)\\INCAInternet\\nProtect Online Security\\nossvc.exe"],["76218440","0","None"]]},"log_type":"alert","alert_time":"2023-11-13T08:50:59.466+00:00","type":"rtlogs","@timestamp":"2023-11-13T08:50:59.512Z","agent":{"osversion":"10.0.19041","additional_info":{"additional_info3":null,"additional_info4":null,"additional_info2":null,"additional_info1":null},"domain":null,"agentid":"1c75a696-e739-41cb-90b6-bdbccf85a378","distroid":null,"hostname":"mthcht-lab","osproducttype":"Windows 10 Pro","version":"2.19.6","domainname":"LAN","ostype":"windows"}}

Image\/Library Loaded + Driver Loaded

alert_subtype=process alert_type=sigma log_type=alert

signature="LSASS.exe Loads Unsigned DLL"

{"process":{"current_directory":"C:\\windows\\system32","pe_timestamp":"2009-09-12T01:49:51.000Z","grandparent_commandline":null,"pid":996,"pe_info":{"company_name":"Microsoft Corporation","original_filename":"lsass.exe","file_description":"Local Security Authority Process","file_version":"10.0.19041.3570 (WinBuild.160101.0800)","internal_name":"lsass.exe","product_name":"Microsoft® Windows® Operating System","legal_copyright":"© Microsoft Corporation. All rights reserved.","product_version":"10.0.19041.3570"},"username":"NT AUTHORITY\\SYSTEM","parent_integrity_level":"System","fake_parent_unique_id":null,"status":0,"fake_parent_commandline":null,"parent_commandline":"wininit.exe","process_name":"lsass.exe","usersid":"S-1-5-18","hashes":{"sha256":"8567cdba80952b2b7af647b9d2630fe12b73e87517498bccdcc27ec1ed6e1545","md5":"b4de3d04ae3c71e67236b841beadeb74","sha1":"2292498eaf2dad254a3c18cc3e1355c03be167f2"},"signature_info":{"signed_authenticode":true,"signer_info":{"serial_number":"3300000451990a2a60f6356760000000000451","thumbprint_sha256":"9d0afd14479842055c57386a4daf53d430d86fee2acb5d5d7ecd01a0b0fc766f","display_name":"Microsoft Windows Publisher","issuer_name":"Microsoft Windows Production PCA 2011","thumbprint":"09bd21d33cbe3cdd99f0bd85f1c0f16eab84bdaf"},"signed_catalog":false,"root_info":{"serial_number":"28cc3a25bfba44ac449a9b586b4339aa","thumbprint_sha256":"df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e","display_name":"Microsoft Root Certificate Authority 2010","issuer_name":"Microsoft Root Certificate Authority 2010","thumbprint":"3b1efd3a66ea28b16697394703a72ca340a05bd5"}},"parent_image":"C:\\Windows\\System32\\wininit.exe","size":60640,"log_type":"process","process_unique_id":"ac630247-d77a-4a6f-03e4-00a44ef4b03b","commandline":"C:\\windows\\system32\\lsass.exe","grandparent_integrity_level":null,"integrity_level":"System","session":0,"image_name":"C:\\Windows\\System32\\lsass.exe","fake_ppid":null,"signed":true,"dont_create_process":true,"fake_parent_image":null,"pe_timestamp_int":1252720191,"status_msg":"","error_msg":"","logonid":999,"ppid":912,"grandparent_image":null,"log_platform_flag":0,"pe_imphash":"3924D1606F44D90586A3EC75785C2730","create_time":"2023-11-13T08:30:51.770Z","parent_unique_id":"ac630247-d77a-4a6f-0390-0025521eb90c"},"msg":"An unsigned DLL or EXE has been loaded into the LSASS process memory. This could be an attempt at dumping credentials off the memory. This could also be a legitimate third party DLL addind features to the machine authentication mechanism.","alert_type":"sigma","status":"new","@version":"1","maturity":"stable","rule_name":"LSASS.exe Loads Unsigned DLL","log_type":"alert","type":"rtlogs","mitre_cells":["credential-access__t1003.001"],"agent":{"version":"2.19.6","hostname":"mthcht-lab","distroid":null,"ostype":"windows","osversion":"10.0.19041","agentid":"8ac660d3-d47a-4a5f-825d-76fbdc217b41","domain":null,"additional_info":{"additional_info1":null,"additional_info4":null,"additional_info3":null,"additional_info2":null},"osproducttype":"Windows 10 Pro","domainname":"LAN"},"alert_unique_id":"c968d29d-ae2b-4a4d-acf3-8cf8765aa3a5","tenant":"","details_library":{"pe_timestamp":"2022-08-26T18:02:14.000Z","signed":false,"hashes":{"sha256":"08c6499d875258b692e318d63fb0a4fefe6588889951ed0233d465a93f64b278","md5":"d54d8d04c3863b904ac28383307275b1","sha1":"568be617247a42d0e86343fb6008a18f7af6c6e8"},"pe_info":{"company_name":"Proxy Labs","original_filename":"pcapwsp.dll","file_description":"ProxyCap Winsock Service Providers","file_version":"5, 3, 8, 0","internal_name":"pcapwsp","product_name":"ProxyCap","legal_copyright":"Copyright © 2022 Proxy Labs","product_version":"5, 3, 8, 0"},"image_loaded":"C:\\Windows\\System32\\pcapwsp.dll","signature_info":{"signed_authenticode":false,"signer_info":{"serial_number":"","thumbprint_sha256":"","display_name":"","issuer_name":"","thumbprint":""},"signed_catalog":false,"root_info":{"serial_number":"","thumbprint_sha256":"","display_name":"","issuer_name":"","thumbprint":""}},"pe_timestamp_int":1661536934,"size":587776,"pe_imphash":""},"@event_create_date":"2023-11-13T08:35:27.548Z","detection_origin":"agent","tags":["attack.credential_access","attack.t1003.001","attack.t1078"],"aggregation_key":"b28cad86c8f2c5c879820a57550918e10b7ccfd227446d806c23372d56adbc49","alert_subtype":"process","@timestamp":"2023-11-13T08:35:46.168Z","level":"medium","rule_id":"cb289a71-4836-4f9d-b12c-c0582903d497","execution":0,"alert_time":"2023-11-13T08:35:46.041+00:00"}

signature="IOC driver check"

{"detection_origin":"agent","@event_create_date":"2023-11-16T12:13:44.199Z","maturity":"stable","msg":"Driver was found malicious by an IOC: 71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009","tags":["_dateparsefailure"],"status":"new","rule_name":"IOC driver check","aggregation_key":"ae3c9943d3f640f445dea673bf3dc943f8fd77fda32879af360c75f283d14b96","tenant":"","image_name":"C:\\Windows\\System32\\drivers\\DBUtilDrv2.sys","alert_subtype":"driverload","log_type":"alert","agent":{"hostname":"mthcht-lab","domain":null,"distroid":null,"version":"2.26.12-post0","domainname":"LAN","additional_info":null,"ostype":"windows","agentid":"7bc0acb7-f34b-46b2-bd26-02c9eb646703","groups":[],"osversion":"10.0.19045","dnsdomainname":"LAN","osproducttype":"Windows 10 Pro"},"threat_key":"8","threat_values":[],"alert_type":"ioc","rule_id":"IOC driver check","@version":"1","alert_unique_id":"bc5d0b5b-52f0-4e6c-a6e4-db8bf646f47b","alert_time":"2023-11-16T12:13:44.199+00:00","level":"high","threat_type":"new","groups":[],"execution":0,"@timestamp":"2023-11-16T12:13:44.438601Z","type":"rtlogs","driverload":{"utc_time":"2023-11-16T12:13:44.077000+00:00","ioc_uuid":null,"pe_timestamp":"2021-05-06T23:20:18Z","status":0,"imagesize":45056,"imagename":"DBUtilDrv2.sys","signed":true,"pe_timestamp_int":1620343218,"size":24968,"detection_timestamp":"2023/11/16 12:13:44.086","signature_info":{"signed_catalog":false,"signed_authenticode":true,"signer_info":{"thumbprint":"38b7c74e37392713e436e19a2be053100115da88","display_name":"Microsoft Windows Hardware Compatibility Publisher","thumbprint_sha256":"6d6af5a5fd8bde067e41a176287feb2c62e73cf0823e77514a3b2e2c7bfc1e24","issuer_name":"Microsoft Windows Third Party Component CA 2012","serial_number":"33000000b5213fca1e4aa03de40000000000b5"},"root_info":{"thumbprint":"3b1efd3a66ea28b16697394703a72ca340a05bd5","display_name":"Microsoft Root Certificate Authority 2010","thumbprint_sha256":"df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e","issuer_name":"Microsoft Root Certificate Authority 2010","serial_number":"28cc3a25bfba44ac449a9b586b4339aa"}},"log_type":"driverload","hashes":{"imphash":"506A31D768AEC26B297C45B50026C820","md5":"d104621c93213942b7b43d65b5d8d33e","sha1":"b03b1996a40bfea72e4584b82f6b845c503a9748","sha256":"71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009"},"imagebase":18446735300954816512,"pe_imphash":"506A31D768AEC26B297C45B50026C820","imagepath":"C:\\Windows\\System32\\drivers\\DBUtilDrv2.sys","pe_info":{"file_version":"2.7.0.0","file_description":"DBUtil","company_name":"Dell","legal_copyright":"© 2021 Dell Inc. All Rights Reserved. ","original_filename":"","internal_name":"","pe_timestamp":"2021-05-06T23:20:18Z","product_name":"DBUtil","product_version":"2.7.0.0"}}}

File Manipulation + File Modification + File Creation

signature="File Added/Modified In Startup Directory"

{"execution":0,"tenant":"","alert_subtype":"process","maturity":"stable","rule_id":"fc2a4033c-7d79-4d05-972a-c7ccf40274cf","process":{"log_platform_flag":0,"dont_create_process":true,"fake_parent_image":null,"current_directory":"C:\\WINDOWS\\system32","grandparent_image":"C:\\Windows\\System32\\winlogon.exe","signed":true,"process_unique_id":"4d15e288-f4b1-4009-2540-00b68548d05b","pe_info":{"product_name":"Microsoft® Windows® Operating System","file_version":"10.0.19041.3570 (WinBuild.160101.0800)","product_version":"10.0.19041.3570","company_name":"Microsoft Corporation","internal_name":"explorer","original_filename":"EXPLORER.EXE","legal_copyright":"© Microsoft Corporation. All rights reserved.","file_description":"Windows Explorer"},"pe_timestamp_int":4115925191,"parent_unique_id":"4d16e238-f7a3-4004-24f0-0021abc46e5e","fake_parent_commandline":null,"signature_info":{"signed_authenticode":true,"signer_info":{"display_name":"Microsoft Windows","issuer_name":"Microsoft Windows Production PCA 2011","thumbprint":"58fd671e2d4d200ce92d6e799ec70df96e6d2664","serial_number":"330000041331bc198807a90774000000000413","thumbprint_sha256":"1721693d3e23c7abf800ae7b86654ed86dceab48c530a57c00d24ef23ff7407e"},"signed_catalog":false,"root_info":{"display_name":"Microsoft Root Certificate Authority 2010","issuer_name":"Microsoft Root Certificate Authority 2010","thumbprint":"3b1efd3a66ea28b16697394703a72ca340a05bd5","serial_number":"28cc3a25bfba44ac449a9b586b4339aa","thumbprint_sha256":"df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e"}},"log_type":"process","logonid":1085450,"hashes":{"sha256":"6a33947b40670d815b3dc7d1435fb0b432beca371fd5e05e2e5190aef337df9b","sha1":"34294bea5fd55cb4716d16227f0dc59661e95300","md5":"8c667c6f7196bd7f81621824368d8321"},"fake_parent_unique_id":null,"commandline":"C:\\WINDOWS\\Explorer.EXE","pe_imphash":"6AF5E52A7F35B8F4849DCCB8BC4667E3","process_name":"explorer.exe","username":"LAN\\mthcht","pe_timestamp":"2100-06-06T00:33:11.000Z","status":0,"integrity_level":"Medium","usersid":"S-1-12-1-460900529-116824092-1246365146-1328673931","parent_image":"C:\\Windows\\System32\\userinit.exe","grandparent_integrity_level":"System","ppid":9265,"parent_integrity_level":"Medium","image_name":"C:\\Windows\\explorer.exe","error_msg":"","fake_ppid":null,"session":1,"create_time":"2023-11-14T09:31:58.765Z","parent_commandline":"C:\\WINDOWS\\system32\\userinit.exe","size":5329808,"status_msg":"","grandparent_commandline":"winlogon.exe","pid":9536},"aggregation_key":"6d7fbd7e3c77d46be252a9d94e6a441b1fb278e36db8628f8a4c9ac93ba4f48d","rule_name":"File Added/Modified In Startup Directory","alert_type":"sigma","msg":"Detects when a file is added or modified in the startup directory","log_type":"alert","@version":"1","detection_origin":"agent","alert_unique_id":"b66703cb-81de-4459-b885-15ac51bab8c5","tags":["attack.persistence","attack.t1547.001"],"mitre_cells":["persistence__t1547.001"],"agent":{"distroid":null,"domainname":"WORKGROUP","agentid":"20d41df0-f7a1-4009-85fc-f38972f20127","domain":null,"osproducttype":"Windows 10 Pro","additional_info":{"additional_info2":null,"additional_info4":null,"additional_info3":null,"additional_info1":null},"osversion":"10.0.19041","version":"2.19.6","ostype":"windows","hostname":"DESKTOP-N65OKMP"},"status":"new","level":"medium","@timestamp":"2023-11-14T17:15:19.047Z","type":"rtlogs","@event_create_date":"2023-11-14T17:15:10.240Z","alert_time":"2023-11-14T17:15:18.924+00:00","details_file":{"target_filename":"C:\\Users\\mthcht\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Rocket.Chat.lnk"}}

signature="Kerberos Ticket File Exported to Disk"

{"status":"new","@timestamp":"2023-11-17T15:56:45.303512Z","execution":0,"threat_key":11,"alert_subtype":"process","rule_name":"Kerberos Ticket File Exported to Disk","alert_type":"sigma","groups":[],"log_type":"alert","details_file":{"target_filename":"C:\\$Recycle.Bin\\S-1-5-21-4204062634-123400628-1249276473-4094\\$LH23Z9Z.kirbi"},"@version":"1","level":"high","process":{"status":0,"fake_parent_image":"","log_platform_flag":0,"logonid":1503960,"log_type":"process","ancestors":"","fake_parent_commandline":"","usersid":"S-1-5-21-4003042837-123700238-1236289472-4027","hashes":{"sha1":"34294bea5fd55cb4716d16227f0dc59661e95300","md5":"8c667c6f7196bd7f81621824368d8321","sha256":"6a33947b40670d815b3dc7d1435fb0b432beca371fd5e05e2e5190aef337df9b"},"sigma_rule_content":"title: Kerberos Ticket File Exported to Disk\nid: 68fe4fff-4e59-4cff-a376-dc54db74ee2f\ndescription: \"Detects the creation of a file on disk with the .kirbi (Windows Kerberos Format), or .ccache (Linux Kerberos Format) extension.\\n\nThis is usually the result of memory secret extraction tools, such as mimikatz, which contain modules to export Kerberos tickets from memory.\\n\nIt is recommended to investigate the incident do determine if any unauthorized authentication has taken place. An investigative guide is present in the references.\"\nreferences:\n    - https://www.mandiant.com/resources/blog/kerberos-tickets-on-linux-red-teams\n    - https://blog.netwrix.com/2022/09/28/how-to-detect-pass-the-ticket-attacks/\nstatus: stable\ndate: 2023/05/23\nmodified: 2023/05/23\nauthor: HarfangLab\ntags:\n    - attack.credential_accesss\n    - attack.t1558\n    - attack.defense_evasion\n    - attack.t1550.003\nlogsource:\n    product: windows\n    category: filesystem_create\ndetection:\n    selection:\n        TargetFilename|endswith:\n            - '.ccache'\n            - '.kirbi'\n    condition: selection\nlevel: high\n","pid":9546,"username":"LAN\\mthcht","fake_ppid":0,"current_directory":"C:\\windows\\system32\\","signed":true,"image_name":"C:\\Windows\\explorer.exe","grandparent_image":"","ioc_matches":[],"process_unique_id":"d6e3d4a2-cac0-5470-2426-0034c4daec67","pe_timestamp":"2100-06-06T00:33:11.000Z","integrity_level":"Medium","ppid":9408,"signature_info":{"signed_catalog":false,"root_info":{"issuer_name":"Microsoft Root Certificate Authority 2010","display_name":"Microsoft Root Certificate Authority 2010","serial_number":"28cc3a25bfba44ac449a9b586b4339aa","thumbprint":"3b1efd3a66ea28b16697394703a72ca340a05bd5","thumbprint_sha256":"df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e"},"signer_info":{"issuer_name":"Microsoft Windows Production PCA 2011","display_name":"Microsoft Windows","serial_number":"330000041331bc198807a90774000000000413","thumbprint":"58fd671e2d4d200ce92d6e799ec70df96e6d2664","thumbprint_sha256":"1721693d3e23c7abf800ae7b86654ed86dceab48c530a57c00d24ef23ff7407e"},"signed_authenticode":true},"size":5329808,"grandparent_commandline":"","session":1,"pe_imphash":"6AF5E52A7F35B8F4849DCCB8BC4667E3","process_name":"explorer.exe","grandparent_integrity_level":"Unknown","parent_commandline":"","create_time":"2023-11-06T08:28:56.969Z","parent_integrity_level":"Unknown","pe_info":{"internal_name":"explorer","file_version":"10.0.19041.3570 (WinBuild.160101.0800)","legal_copyright":"© Microsoft Corporation. All rights reserved.","pe_timestamp":"2100-06-06T00:33:11.000Z","company_name":"Microsoft Corporation","original_filename":"EXPLORER.EXE","product_version":"10.0.19041.3570","product_name":"Microsoft® Windows® Operating System","file_description":"Windows Explorer"},"parent_image":"","commandline":"C:\\windows\\Explorer.EXE","pe_timestamp_int":4115925191},"alert_time":"2023-11-17T15:56:45.217+00:00","agent":{"distroid":null,"domain":null,"ostype":"windows","additional_info":null,"version":"2.30.12-post0","groups":[],"dnsdomainname":"LAN","osversion":"10.0.19045","agentid":"684cb72e-caf0-4270-b12a-42ee794e76e7","osproducttype":"Windows 10 Enterprise","domainname":"LAN","hostname":"mthcht-lab"},"tenant":"","alert_unique_id":"40c1b272-c229-4c2e-9fa0-4bf4221a009a","maturity":"stable","mitre_cells":["defense-evasion__t1550.003"],"threat_values":["<drive>:\\windows\\explorer.exe"],"image_name":"C:\\Windows\\explorer.exe","msg":"Detects the creation of a file on disk with the .kirbi (Windows Kerberos Format), or .ccache (Linux Kerberos Format) extension.\n This is usually the result of memory secret extraction tools, such as mimikatz, which contain modules to export Kerberos tickets from memory.\n It is recommended to investigate the incident do determine if any unauthorized authentication has taken place. An investigative guide is present in the references.","detection_origin":"agent","threat_type":"commandline","tags":["attack.credential_accesss","attack.t1558","attack.defense_evasion","attack.t1550.003"],"aggregation_key":"7a0bc30cbbd9ba7b60316ab6bd2e9707120ec268d8ad9b03e2bc9ca5cea99e97","rule_id":"68fe4fff-4e59-4cff-a376-dc54db74ee2f","type":"rtlogs","@event_create_date":"2023-11-17T15:56:45.177Z"}

Local Account Creation + Script-Block Activity

signature="Local User Created via PowerShell"

{"status":"new","@timestamp":"2023-12-01T07:23:18.427078Z","execution":0,"threat_key":"472","alert_subtype":"process","rule_name":"Local User Created via PowerShell","alert_type":"sigma","groups":[],"log_type":"alert","@version":"1","tenant":"","level":"low","process":{"status":0,"fake_parent_image":"","log_platform_flag":0,"logonid":999,"log_type":"process","ancestors":"C:\\Windows\\System32\\svchost.exe|C:\\Windows\\System32\\services.exe|C:\\Windows\\System32\\wininit.exe","fake_parent_commandline":"","usersid":"S-1-5-18","hashes":{"sha1":"8db8ff070eabf20486dcd3ba7c84619081880a73","md5":"6726185b70b5adf05e8a1a1df82ebf30","sha256":"64dd55e1c2373deed25c2776f553c632e58c45e56a0e4639dfd54ee97eab9c19"},"sigma_rule_content":"title: Local User Created via PowerShell\nid: 742a1f89-039d-459e-b772-50a881353a76\ndescription: \"Detects the usage of PowerShell to create a new local user.\\n\nAttackers can create new users to achieve persistence.\"\nreferences:\n    - https://attack.mitre.org/techniques/T1136/001/\nstatus: stable\ndate: 2022/11/07\nmodified: 2022/11/10\nauthor: HarfangLab\ntags:\n    - attack.persistence\n    - attack.t1136.001\nlogsource:\n    category: powershell_event\n    product: windows\ndetection:\n    selection_command:\n        PowershellCommand|contains: 'New-LocalUser '\n\n    # To avoid FP on commandlets that don't necessarly execute the command\n    selection_args:\n        PowershellCommand|contains:\n            - ' -N' # For -Name or -NoPassword\n            - ' -P' # For -Password\n\n    condition: all of selection_*\nlevel: low\n","pid":8692,"username":"NT AUTHORITY\\SYSTEM","fake_ppid":0,"current_directory":"C:\\WINDOWS\\system32\\","signed":true,"image_name":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","grandparent_image":"C:\\Windows\\System32\\services.exe","ioc_matches":[],"process_unique_id":"6c4b4b35-fe12-4215-f421-00db344760cf","parent_unique_id":"6c5b4b35-fe12-6215-6c0c-00fcafef588b","integrity_level":"System","pe_timestamp":"2023-01-08T13:36:53.000Z","ppid":3180,"signature_info":{"signed_catalog":true,"root_info":{"issuer_name":"Microsoft Root Certificate Authority 2010","display_name":"Microsoft Root Certificate Authority 2010","serial_number":"28cc3a25bfba44ac449a9b586b4339aa","thumbprint":"3b1efd3a66ea28b16697394703a72ca340a05bd5","thumbprint_sha256":"df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e"},"signer_info":{"issuer_name":"Microsoft Windows Production PCA 2011","display_name":"Microsoft Windows","serial_number":"330000041331bc198807a90774000000000413","thumbprint":"58fd671e2d4d200ce92d6e799ec70df96e6d2664","thumbprint_sha256":"1721693d3e23c7abf800ae7b86654ed86dceab48c530a57c00d24ef23ff7407e"},"signed_authenticode":false},"size":493568,"dont_create_process":true,"grandparent_commandline":"C:\\WINDOWS\\system32\\services.exe","session":0,"pe_imphash":"E3007C8E0098D06ABF617EEE6F0C5ABD","process_name":"powershell.exe","grandparent_integrity_level":"System","parent_commandline":"C:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s Schedule","create_time":"2023-12-01T07:19:00.420Z","parent_integrity_level":"System","pe_info":{"internal_name":"POWERSHELL","file_version":"10.0.19041.3636 (WinBuild.160101.0800)","legal_copyright":"© Microsoft Corporation. All rights reserved.","pe_timestamp":"2023-01-08T13:36:53.000Z","company_name":"Microsoft Corporation","original_filename":"PowerShell.EXE","product_version":"10.0.19041.3636","product_name":"Microsoft® Windows® Operating System","file_description":"Windows PowerShell"},"parent_image":"C:\\Windows\\System32\\svchost.exe","commandline":"C:\\windows\\System32\\WindowsPowershell\\v1.0\\powershell.exe -ExecutionPolicy ByPass -File c:\\script\\useradd.ps1","pe_timestamp_int":1673185013},"alert_time":"2023-12-01T07:23:18.311+00:00","agent":{"distroid":null,"domain":null,"ostype":"windows","additional_info":null,"version":"2.30.12-post0","groups":[],"dnsdomainname":"LAN","osversion":"10.0.19045","agentid":"3d2a193d-fe12-4215-8ab4-ac59ca839259","osproducttype":"Windows 10 Enterprise","domainname":"2LAN","hostname":"mthcht-lab"},"alert_unique_id":"259fb519-f8b5-4307-8301-3225f6af7ea2","maturity":"stable","mitre_cells":["persistence__t1136.001"],"threat_values":[],"image_name":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","msg":"Detects the usage of PowerShell to create a new local user.\n Attackers can create new users to achieve persistence.","detection_origin":"agent","details_powershell":{"PowershellCommand":"[Script content REDACTED]..."}}

signature="Powershell: Local User Creation"

{"alert_time":"2023-10-18T06:03:58.823+00:00","level":"low","process":{"current_directory":"C:\\WINDOWS\\system32","fake_parent_commandline":null,"log_platform_flag":0,"error_msg":"","integrity_level":"System","pe_timestamp_int":1673185013,"create_time":"2023-10-18T05:58:13.689Z","status_msg":"","commandline":"C:\\windows\\System32\\WindowsPowershell\\v1.0\\powershell.exe -ExecutionPolicy ByPass -File c:\\script\\useradd.ps1","pe_imphash":"REDACTED","parent_commandline":"C:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s Schedule","parent_unique_id":"6c5b4b35-fe12-4215-0b58-00300be0ffba","dont_create_process":true,"logonid":999,"signature_info":{"signer_info":{"display_name":"Microsoft Windows","thumbprint":"8870483e0e833965a53f422494f1614f79286851","thumbprint_sha256":"2724aeb0c497bf5fd732958120d1ae3341cfd252ab1680de03d10503abc666c1","issuer_name":"Microsoft Windows Production PCA 2011","serial_number":"33000004158295a1a3d82e2857000000000415"},"signed_authenticode":false,"root_info":{"display_name":"Microsoft Root Certificate Authority 2010","thumbprint":"3b1efd3a66ea28b16697394703a72ca340a05bd5","thumbprint_sha256":"df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e","issuer_name":"Microsoft Root Certificate Authority 2010","serial_number":"28cc3a25bfba44ac449a9b586b4339aa"},"signed_catalog":true},"ppid":2904,"fake_parent_image":null,"grandparent_commandline":"C:\\WINDOWS\\system32\\services.exe","parent_image":"C:\\Windows\\System32\\svchost.exe","size":493568,"grandparent_image":"C:\\Windows\\System32\\services.exe","pid":3108,"session":0,"process_name":"powershell.exe","fake_parent_unique_id":null,"signed":true,"parent_integrity_level":"System","pe_timestamp":"2023-01-08T13:36:53.000Z","grandparent_integrity_level":"System","log_type":"process","process_unique_id":"6c5b4b35-fe12-4215-0c24-0088b71f7975","pe_info":{"file_version":"10.0.19041.3570 (WinBuild.160101.0800)","internal_name":"POWERSHELL","original_filename":"PowerShell.EXE","product_name":"Microsoft® Windows® Operating System","company_name":"Microsoft Corporation","product_version":"10.0.19041.3570","file_description":"Windows PowerShell","legal_copyright":"© Microsoft Corporation. All rights reserved."},"username":"NT AUTHORITY\\SYSTEM","image_name":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","usersid":"S-1-5-18","status":0,"fake_ppid":null,"hashes":{"sha1":"d3ea331bdcc214ec7ea134492d2af8cf5195cc63","sha256":"2e3e40e8bf13d88396f22e7c6ae25b2725871e32237538414dff8485ecf19fa0","md5":"6b52731c45246987956829ded01331e0"}},"msg":"Detects the usage of PowerShell to create a new local user.\n Attackers can create new users to achieve persistence.","rule_name":"Powershell: Local User Creation","@version":"1","@timestamp":"2023-10-18T06:03:59.000Z","execution":0,"rule_id":"742a1f89-039d-459e-b772-50a881353a76","type":"rtlogs","aggregation_key":"b0cadeb8b6b7c9d29f8280f7ca3787ac2e291c0628973d96ab020c387442df69","maturity":"stable","mitre_cells":["persistence__t1136.001"],"agent":{"osproducttype":"Windows 10 Enterprise","hostname":"mthcht-lab","additional_info":{"additional_info4":null,"additional_info2":null,"additional_info1":null,"additional_info3":null},"agentid":"3d2a193d-fe12-4215-8ab4-bc59ca739259","distroid":null,"domain":null,"osversion":"10.0.19041","domainname":"LAN","version":"2.19.6","ostype":"windows"},"log_type":"alert","@event_create_date":"2023-10-18T05:58:25.450Z","alert_type":"sigma","detection_origin":"agent","tenant":"","status":"new","alert_unique_id":"806bd39a-a6f9-4c44-bf31-31ceb2afb0b1","details_powershell":{"PowershellScriptPath":"C:\\script\\useradd.ps1","PowershellCommand":"[Script content REDACTED]..."}}

Registry Activity

signature="Registry Autorun Key" and other signatures

{"process":{"current_directory":"C:\\windows\\system32","pe_timestamp":"1992-06-19T22:22:17.000Z","grandparent_commandline":"C:\\windows\\system32\\userinit.exe","pid":16276,"pe_info":{"company_name":"","original_filename":"","file_description":"","file_version":"3.14.0.1","internal_name":"","product_name":"","legal_copyright":"","product_version":"1.0.0.0"},"username":"LAN\\mthcht","parent_integrity_level":"Medium","fake_parent_unique_id":null,"status":0,"fake_parent_commandline":null,"parent_commandline":"C:\\windows\\Explorer.EXE","process_name":"feedreader.exe","usersid":"S-1-12-1-1643571562-1212312704-2006026917-1636723224","hashes":{"sha256":"b7f15950391cf0e64198db95afbe3e737aec56f6209d12ab4f284a3acbc76642","md5":"7c153262faa390c3f9b82b2d98b541c7","sha1":"bb1682580302849b75f7c48ff7265b393bb7e4e9"},"signature_info":{"signed_authenticode":false,"signer_info":{"serial_number":"","thumbprint_sha256":"","display_name":"","issuer_name":"","thumbprint":""},"signed_catalog":false,"root_info":{"serial_number":"","thumbprint_sha256":"","display_name":"","issuer_name":"","thumbprint":""}},"parent_image":"C:\\Windows\\explorer.exe","size":2058240,"log_type":"process","process_unique_id":"aea8f255-46bb-472f-3f72-00d34a3ceb68","commandline":"C:\\Users\\mtchht\\Downloads\\FeedReader314Setup\\feedreader.exe","grandparent_integrity_level":"Medium","integrity_level":"Medium","session":1,"image_name":"C:\\Users\\mtchht\\Downloads\\FeedReader314Setup\\feedreader.exe","fake_ppid":null,"signed":false,"dont_create_process":true,"fake_parent_image":null,"pe_timestamp_int":708992537,"status_msg":"","error_msg":"","logonid":5162282,"ppid":4168,"grandparent_image":"C:\\Windows\\System32\\userinit.exe","log_platform_flag":0,"pe_imphash":"FD0F508841FBB37B3581A05183260EB1","create_time":"2023-11-16T08:25:18.728Z","parent_unique_id":"aea8f254-46ba-472f-1040-004a6e12fce6"},"msg":"Detects when an entry is added/modified in one of the autostart extensibility point (ASEP) in registry","alert_type":"sigma","status":"new","@version":"1","maturity":"stable","rule_name":"Registry Autorun Key","log_type":"alert","type":"rtlogs","mitre_cells":["persistence__t1547.001"],"agent":{"version":"2.19.6","hostname":"mthcht-lab","distroid":null,"ostype":"windows","osversion":"10.0.19041","agentid":"dcdb2114-46ba-491b-7c34-aa0a26fc71b2","domain":null,"additional_info":{"additional_info1":null,"additional_info4":null,"additional_info3":null,"additional_info2":null},"osproducttype":"Windows 10 Pro","domainname":"LAN"},"alert_unique_id":"508e062e-de0b-4bdb-8077-9d541d8661b2","tenant":"","details_registry":{"target_object":"HKU\\S-1-12-1-1643571562-1212312704-2006026917-1636723224\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\feedreader.exe","details":"\"C:\\Users\\mthcht\\Downloads\\FeedReader314Setup\\feedreader.exe\"","event_type":"SetValue"},"@event_create_date":"2023-11-16T08:25:26.903Z","detection_origin":"agent","tags":["attack.persistence","attack.t1547.001","attack.t1112"],"aggregation_key":"4b3aeaa2eda2cdea6c4188fdb3f74a424e808919ebbde629e8d04eb13f69e824","alert_subtype":"process","@timestamp":"2023-11-16T08:28:08.536Z","level":"medium","rule_id":"970dca0d-7bda-4ab7-a60c-a23fa59e6627","execution":0,"alert_time":"2023-11-16T08:28:08.393+00:00"}

Key\/Value Modification

signature=Windows Defender Exclusion List Modified

{"type":"rtlogs","log_type":"alert","status":"new","alert_subtype":"process","threat_type":"commandline","mitre_cells":["defense-evasion__t1112","defense-evasion__t1562.001"],"rule_name":"Windows Defender Exclusion List Modified","@timestamp":"2023-12-11T08:47:55.826643Z","tags":["attack.defense_evasion","attack.t1562.001","attack.t1112"],"@event_create_date":"2023-12-11T08:47:55.678Z","alert_unique_id":"b3f61cd4-6fac-45a8-b653-f7e045f70039","rule_id":"22822193-9f29-4f1e-8001-93546cec1e4a","process":{"grandparent_commandline":"wininit.exe","log_type":"process","parent_integrity_level":"System","process_name":"MsMpEng.exe","fake_parent_image":"","grandparent_image":"C:\\Windows\\System32\\wininit.exe","signed":true,"status":0,"ppid":1034,"usersid":"S-1-5-18","parent_unique_id":"3c445b36-b904-745a-0c06-00b4b2c07ef6","integrity_level":"System","commandline":"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.23110.3-0\\MsMpEng.exe","signature_info":{"signed_catalog":false,"signer_info":{"serial_number":"33000004500da45d0a6c7a8a57000000000450","issuer_name":"Microsoft Windows Production PCA 2011","thumbprint":"51f97d144f979fdc7567baaf367a6c9343498948","thumbprint_sha256":"51d92b710ec40a6063130651b84a352b6fba5b7de05ea40d9a0fa7116fb629f6","display_name":"Microsoft Windows Publisher"},"root_info":{"serial_number":"28cc3a25bfba44ac449a9b586b4339aa","issuer_name":"Microsoft Root Certificate Authority 2010","thumbprint":"3b1efd3a66ea28b16697394703a72ca340a05bd5","thumbprint_sha256":"df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e","display_name":"Microsoft Root Certificate Authority 2010"},"signed_authenticode":true},"pe_info":{"legal_copyright":"© Microsoft Corporation. All rights reserved.","product_name":"Microsoft® Windows® Operating System","product_version":"4.18.23110.3","file_description":"Antimalware Service Executable","pe_timestamp":"1976-05-09T16:18:43.000Z","file_version":"4.18.23110.3 (9ebb3643d539a6fc4659898b1df3124d5da4c0a9)","original_filename":"MsMpEng.exe","company_name":"Microsoft Corporation","internal_name":"MsMpEng.exe"},"sigma_rule_content":"title: Windows Defender Exclusion List Modified\nid: 22822193-9f29-4f1e-8001-93546cec1e4a\ndescription: Detects the exclusion list of Windows Defender being modified outside of control panel.\nreferences:\n    - https://attack.mitre.org/techniques/T1562/001/\nstatus: stable\ndate: 2020/09/25\nmodified: 2023/10/26\nauthor: HarfangLab\ntags:\n    - attack.defense_evasion\n    - attack.t1562.001\n    - attack.t1112\nlogsource:\n    product: windows\n    service: sysmon\ndetection:\n    target:\n        EventID: 13\n        TargetObject|startswith:\n            # NOTE: Even when using PowerShell (via Add-MpPreference), msmpeng is always the one doing this operation.\n            - 'HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Extensions\\'\n            - 'HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths\\'\n            - 'HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Processes\\'\n    exclusion_is_empty:\n        Details: '(Empty)'\n\n    exclusion_hurukai:\n        TargetObject:\n            - 'HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Processes\\C:\\Program Files\\HarfangLab'\n            - 'HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Processes\\C:\\Program Files\\HarfangLab\\\\*'\n        Details: 'DWORD (0x00000000)'\n\n    condition: target and not 1 of exclusion_*\nlevel: medium\n","dont_create_process":true,"parent_image":"C:\\Windows\\System32\\services.exe","log_platform_flag":0,"hashes":{"sha1":"8e51703b8b91287b0564c7684bc476e2d7888eff","sha256":"7acd545afee1c8c9210b4bb6aa73d93b35d6aad2e330ec94bbcd2732dc8008c0","md5":"6eb45e2626f7d47cb0f491a1f2ef7e3e"},"grandparent_integrity_level":"System","create_time":"2023-12-11T07:11:29.116Z","fake_parent_commandline":"","pe_imphash":"F189C7B818D0AA5FF3015F856E3C3A13","fake_ppid":0,"pe_timestamp_int":200506723,"pe_timestamp":"1976-05-09T16:18:43.000Z","logonid":999,"pid":5344,"ioc_matches":[],"ancestors":"C:\\Windows\\System32\\services.exe|C:\\Windows\\System32\\wininit.exe","size":133592,"session":0,"image_name":"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.23110.3-0\\MsMpEng.exe","parent_commandline":"C:\\windows\\system32\\services.exe","username":"NT AUTHORITY\\SYSTEM","process_unique_id":"3c145b34-b606-464a-e014-004586ccfc6f","current_directory":""},"detection_origin":"agent","groups":[],"details_registry":{"event_type":"SetValue","details":"DWORD (0x00000000)","target_object":"HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths\\bfbfb469-06db-8fd1-a749-46c534f1118c-SIAM-7adcea70-53c6-63c6-46f0-83d6d5c00469"},"msg":"Detects the exclusion list of Windows Defender being modified outside of control panel.","level":"medium","alert_type":"sigma","@version":"1","maturity":"stable","tenant":"","agent":{"osversion":"10.0.19045","osproducttype":"Windows 10 Enterprise","domain":null,"hostname":"mthcht-lab","distroid":null,"version":"2.30.12-post0","dnsdomainname":"LAN","ostype":"windows","groups":[],"agentid":"8b046ef4-b604-445a-7d4a-e79193453068","additional_info":null,"domainname":"LAN"},"threat_key":741,"alert_time":"2023-12-11T08:47:55.737+00:00","execution":0,"image_name":"C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.23110.3-0\\MsMpEng.exe","aggregation_key":"bc10df11cbb147a5926383b2f9f588b6dfb99b9c3265b2327ca305e00299f4eb","threat_values":["<drive>:\\programdata\\microsoft\\windows defender\\platform\\4.18.23110.3-0\\msmpeng.exe"]}

Scheduled Task Creation

signature="Scheduled Task Created in Temporary Directory"

{"type":"rtlogs","log_type":"alert","status":"new","alert_subtype":"process","threat_type":"commandline","mitre_cells":["execution__t1053","execution__t1053.005","privilege-escalation__t1053","privilege-escalation__t1053.005","persistence__t1053","persistence__t1053.005"],"rule_name":"Scheduled Task Created in Temporary Directory","@timestamp":"2023-11-24T13:12:04.112879Z","tags":["attack.execution","attack.persistence","attack.privilege_escalation","attack.t1053","attack.t1053.005"],"@event_create_date":"2023-11-24T13:12:04.460Z","alert_unique_id":"b22baa57-adf3-4727-b281-91ac841a5dd1","rule_id":"76107997-084f-46ed-aae8-41ca44b17c7c","process":{"grandparent_commandline":".\\setup.exe -install","log_type":"process","parent_integrity_level":"System","process_name":"schtasks.exe","fake_parent_image":"","grandparent_image":"C:\\SWSetup\\SP149612\\src\\Driver\\Setup.exe","signed":true,"status":0,"ppid":17088,"usersid":"S-1-5-18","parent_unique_id":"4d16e288-f7a1-2006-c044-00072b2dec45","integrity_level":"System","commandline":"schtasks /Create /TN ModifyLinkUpdate /XML C:\\WINDOWS\\TEMP\\\\ModifyLinkUpdateNew.xml","signature_info":{"signed_catalog":true,"signer_info":{"serial_number":"33000004158295a1a3d82e2857000000000415","issuer_name":"Microsoft Windows Production PCA 2011","thumbprint":"8870483e0e833965a53f422494f1614f79286851","thumbprint_sha256":"2724aeb0c497bf5fd732958120d1ae3341cfd252ab1680de03d10503abc666c1","display_name":"Microsoft Windows"},"root_info":{"serial_number":"28cc3a25bfba44ac449a9b586b4339aa","issuer_name":"Microsoft Root Certificate Authority 2010","thumbprint":"3b1efd3a66ea28b16697394703a72ca340a05bd5","thumbprint_sha256":"df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e","display_name":"Microsoft Root Certificate Authority 2010"},"signed_authenticode":false},"pe_info":{"legal_copyright":"© Microsoft Corporation. All rights reserved.","product_name":"Microsoft® Windows® Operating System","product_version":"10.0.19041.3636","file_description":"Task Scheduler Configuration Tool","pe_timestamp":"2041-12-28T02:39:22.000Z","file_version":"10.0.19041.3636 (WinBuild.160101.0800)","original_filename":"schtasks.exe","company_name":"Microsoft Corporation","internal_name":"schtasks.exe"},"sigma_rule_content":"title: Scheduled Task Created in Temporary Directory\nid: 76107997-084f-46ed-aae8-41ca44b17c7c\ndescription: Detects a scheduled task created from a temporary directory. They are commonly used by attackers for persistence or privilege escalation.\nreferences:\n    - https://attack.mitre.org/techniques/T1053/005/\nstatus: stable\ndate: 2021/02/08\nmodified: 2023/10/11\nauthor: HarfangLab\nlogsource:\n    category: process_creation\n  ...

Type of change

Please delete options that are not relevant.

[x] Feature Improvement (non-breaking change which fixes an issue)
[ ] New feature (adding additional EDR product or proposing new event categories/sub-categories)
[ ] This change requires a documentation update
[ ] New tool (suggesting additional tools for improving collection and analysis)

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration.

[x] Default EDR configuration, log analysis on SIEM - 1 year period for 300 endpoints

Test Configuration: default

EDR version: EDR agent version 2.19.6
Operating System version: Windows 10 Pro

Checklist:

[ ] My code follows the style guidelines of this project
[ ] I have performed a self-review of my own code
[ ] I have made corresponding changes to the documentation
[ ] I have added tests that prove my corrections or additions are accurate
[ ] I have checked my code and corrected any misspellings

Don't stress yourself out, just answer the above to the best of your ability and we can discuss in the comments 🙂

mthcht commented 7 months ago

for the real telemetry logs that is continuously logged (they have a similar format but we only have 3 categories: process, network and authentication):

process sample:

Windows

``` { "parent_integrity_level": "Medium", "tenant": "[REDACTED]", "fake_ppid": 0, "signed": true, "ancestors": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe|C:\\Windows\\explorer.exe|C:\\Windows\\System32\\userinit.exe|C:\\Windows\\System32\\winlogon.exe", "pe_timestamp": "2023-12-07T03:32:10.000Z", "process_name": "msedge.exe", "parent_image": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "groups": [ { "id": "[REDACTED]", "name": "[REDACTED]_Workstations_Windows" } ], "grandparent_integrity_level": "Medium", "size": 3788736, "@version": "1", "session": 1, "usersid": "[REDACTED]", "process_unique_id": "[REDACTED]", "grandparent_image": "C:\\Windows\\explorer.exe", "pe_imphash": "EA4CA1F8E3B3D9373D39C13FD1348A63", "fake_parent_commandline": "", "image_name": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", "logonid": 1620357, "ppid": 15836, "fake_parent_image": "", "agent": { "domain": null, "distroid": null, "dnsdomainname": "lab.thunting.io", "agentid": "[REDACTED]", "osversion": "10.0.19045", "ostype": "windows", "hostname": "PKYRLAB01278", "domainname": "thunting", "additional_info": null, "version": "3.2.5", "osproducttype": "Windows 10 Pro" }, "pe_info": { "file_version": "120.0.2210.61", "product_version": "120.0.2210.61", "file_description": "Microsoft Edge", "product_name": "Microsoft Edge", "company_name": "Microsoft Corporation", "legal_copyright": "Copyright Microsoft Corporation. All rights reserved.", "pe_timestamp": "2023-12-07T03:32:10.000Z", "internal_name": "msedge_exe", "original_filename": "msedge.exe" }, "signature_info": { "signed_catalog": false, "root_info": { "thumbprint_sha256": "847df6a78497943f27fc72eb93f9a637320a02b561d0a91b09e87a7807ed7c61", "display_name": "Microsoft Root Certificate Authority 2011", "thumbprint": "8f43288ad272f3103b6fb1428485ea3014c0bcfe", "issuer_name": "Microsoft Root Certificate Authority 2011", "serial_number": "3f8bc8b5fc9fb29643b569d66c42e144" }, "signer_info": { "thumbprint_sha256": "36305d4ddfd4756d17fcdfb742fd2031a3d5133bce34bd8e3080bc803ae44d0b", "display_name": "Microsoft Corporation", "thumbprint": "05a822642cf64464460cb4684ff11c7f476873ca", "issuer_name": "Microsoft Code Signing PCA 2011", "serial_number": "33000003a54111e8f07fbe0b750000000003a5" }, "signed_authenticode": true }, "@event_create_date": "2023-12-15T08:04:10.672Z", "parent_commandline": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe --no-startup-window --win-session-start", "integrity_level": "Medium", "commandline": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe --flag-switches-begin --flag-switches-end --no-startup-window", "hashes": { "md5": "47fc8f5fb47abf51cd14cf9c83c6e019", "sha1": "564af8862fdf147d43c0b6dd02d1c2f7dac40ed2", "sha256": "1448d70a502e2a605f25751bb0b73f35667ce374393f87a1871b7ed733768899" }, "grandparent_commandline": "C:\\WINDOWS\\Explorer.EXE", "current_directory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\", "@timestamp": "2023-12-15T08:04:17.393736Z", "pe_timestamp_int": 1701919930, "log_type": "process", "pid": 8816, "parent_unique_id": "[REDACTED]", "log_platform_flag": 0, "username": "LAB\\mthcht" } ```

Linux

``` { "ppid": 768, "process_name": "ps", "grandparent_image": "/opt/gitlab/embedded/bin/ruby", "group": "git", "@timestamp": "2023-12-15T08:35:34.287697Z", "process_unique_id": "[REDACTED]", "log_platform_flag": 0, "log_type": "process", "commandline": "ps -o rss= -p 768", "uid": 997, "suid": 997, "size": 133432, "@event_create_date": "2023-12-15T08:35:15.000Z", "pid": 172951, "sgroup": "git", "hashes": { "md5": "76b16779348e260bf0e41c84f9b37e6a", "sha256": "f7bcd10b455d762ec803fab47031f38ebe3042ea5a91a0d655a98d7a83d6c466", "sha1": "206dcc1b639d79278ca32560f2d906fabff41f09" }, "egid": 997, "groups": [ { "id": "[REDACTED]", "name": "[REDACTED]_Workstation_Linux_Prod" } ], "image_name": "/usr/bin/ps", "gid": 997, "euid": 997, "username": "git", "eusername": "git", "parent_unique_id": "[REDACTED]", "agent": { "distroid": "debian", "osproducttype": "Debian GNU/Linux 10 (buster)", "hostname": "abfgioappli", "osversion": "4.19.0-18-amd64", "additional_info": null, "domainname": null, "dnsdomainname": null, "domain": null, "ostype": "linux", "version": "3.2.5", "agentid": "[REDACTED]" }, "current_directory": "/opt/gitlab/embedded/service/gitlab-rails/", "susername": "git", "tenant": "[REDACTED]", "grandparent_commandline": "ruby /opt/gitlab/embedded/service/gitlab-rails/bin/sidekiq-cluster -e production -r /opt/gitlab/embedded/service/gitlab-rails -m 50 --timeout 25 *", "sgid": 997, "egroup": "git", "ancestors": "/opt/gitlab/embedded/bin/ruby|/opt/gitlab/embedded/bin/ruby|/opt/gitlab/embedded/bin/runsv|/opt/gitlab/embedded/bin/runsvdir|/usr/lib/systemd/systemd", "parent_commandline": "sidekiq 6.2.2 queues:authorized_project_update:authorized_project_update_project_create,authorized_project_update:authorized_project_update_project_group_link_create,authorized_project_update:authorized_project_update_project_recalculate,authorized_project_update:authorized_project_update_project_recalculate_per_user,authorized_project_update:authorized_project_update_user_refresh_from_replica,authorized_project_update:authorized_project_update_user_refresh_over_user_range,authorized_project_update:authorized_project_update_user_refresh_with_low_urgency,auto_devops:auto_devops_disable,auto_merge:auto_merge_process,chaos:chaos_cpu_spin,chaos:chaos_db_spin,chaos:chaos_kill,chaos:chaos_leak_mem,chaos:chaos_sleep,container_repository:cleanup_container_repository,container_repository:container_expiration_policies_cleanup_container_repository,container_repository:delete_container_repository,cronjob:admin_email,cronjob:analytics_usage_trends_count_job_trigger,cronjob:authorized_project_update_periodic_recalculate...", "@version": "1", "parent_image": "/opt/gitlab/embedded/bin/ruby" } ```

network samples:

IP

``` { "agent": { "distroid": null, "osproducttype": "Windows 10 Pro", "hostname": "PKYRLAB01378", "osversion": "10.0.19045", "additional_info": null, "domainname": "thunting", "dnsdomainname": "lab.thunting.io", "domain": null, "ostype": "windows", "version": "3.2.5", "agentid": "[REDACTED]" }, "image_name": "C:\\Users\\mthcht\\AppData\\Local\\CiscoSparkLauncher\\CiscoCollabHost.exe", "@timestamp": "2023-12-15T08:35:52.205452Z", "username": "LAB\\mthcht", "process_unique_id": "[REDACTED]", "initiated": true, "tenant": "[REDACTED]", "log_type": "network", "event_id": [ 3, 3 ], "direction": "out", "conn_type": 0, "saddr": "192.168.12.19", "dport": 443, "sport": 62026, "pid": 16568, "is_ipv6": false, "@version": "1", "@event_create_date": "2023-12-15T08:35:15.829Z", "daddr": "170.72.238.121", "groups": [ { "id": "[REDACTED]", "name": "[REDACTED]_Workstations_Windows" } ] } ```

DNS

``` { "agent": { "domain": null, "distroid": null, "dnsdomainname": "lab.thunting.io", "agentid": "[REDACTED]", "osversion": "10.0.22621", "ostype": "windows", "hostname": "PKYRLAB01478", "domainname": "thunting", "additional_info": null, "version": "3.2.5", "osproducttype": "Windows 11 Pro" }, "@event_create_date": "2023-12-15T08:35:15.718000+00:00", "status": "success", "tenant": "[REDACTED]", "raw_windows_resolver_results": "::ffff:172.217.20.170;", "query_type": "AAAA", "groups": [ { "id": "[REDACTED]", "name": "[REDACTED]_Workstations_Windows" } ], "requested_name": "signaler-pa.clients6.google.com", "@version": "1", "process_image_path": "C:\\Program Files\\Mozilla Firefox\\firefox.exe", "process_unique_id": "[REDACTED]", "@timestamp": "2023-12-15T08:36:02.423041Z", "ip_addresses": [ "172.217.20.170" ], "log_type": "dns_resolution", "pid": 16000, "username": "LAB\\mthcht" } ```

authentication samples:

``` { "destination": "syslog", "@timestamp": "2023-12-15T08:35:18.404738Z", "log_name": "Security", "thread_id": 49060, "log_type": "eventlog", "event_id": 4624, "@event_create_date": "2023-12-15T08:35:14.637Z", "computer_name": "SRVCXWIN2P1.lab.thunting.io", "groups": [ { "id": "[REDACTED]", "name": "[REDACTED]_Workstations_Windows" } ], "agent": { "distroid": null, "osproducttype": "Windows Server 2019 Standard", "hostname": "SRVCXWIN2P1", "osversion": "10.0.17763", "additional_info": null, "domainname": "thunting", "dnsdomainname": "lab.thunting.io", "domain": null, "ostype": "windows", "version": "3.2.5", "agentid": "[REDACTED]" }, "source_name": "Microsoft-Windows-Security-Auditing", "keywords": [ "AuditSuccess", "ReservedKeyword63" ], "process_id": 1760, "provider_guid": "54849625-5478-4994-a5ba-3e3b0328c30d", "user_data": {}, "tenant": "[REDACTED]", "@version": "1", "record_number": 159433927, "type": "wineventlog", "level": "log_always", "event_data": { "LmPackageName": "NTLM V1", "KeyLength": "128", "LogonType": "3", "SubjectUserSid": "S-1-0-0", "AuthenticationPackageName": "NTLM", "TransmittedServices": "-", "TargetDomainName": "thunting", "ElevatedToken": "%%1842", "SubjectUserName": "-", "SubjectDomainName": "-", "TargetOutboundUserName": "-", "TargetUserSid": "[REDACTED]", "VirtualAccount": "%%1843", "IpPort": "63481", "SubjectLogonId": "0x0", "LogonProcessName": "NtLmSsp", "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "TargetLogonId": "0x6d0fec05", "ProcessId": "0x0", "ProcessName": "-", "ImpersonationLevel": "%%1833", "IpAddress": "10.0.0.62", "TargetUserName": "mthcht", "WorkstationName": "SRVCXWIN2P1", "TargetLinkedLogonId": "0x0", "TargetOutboundDomainName": "-", "RestrictedAdminMode": "-" }, "user": { "domain": "", "name": "", "identifier": "", "type": "unknown" } } ```

@tsale I changed the PR, when an alert is triggered for a specific event, but there are no available telemetry logs to support it (for instance, an 'image loaded' event is only logged as an alert when a threat is identified, without continuous telemetry tracking for image loading), I categorize the telemetry as 'No'.

tsale commented 6 months ago

Thanks for the edits @mthcht! I'll approve these changes.

For transparency, I chatted with @mthcht directly regarding this PR requesting more information.

tsale / EDR-Telemetry

Adding HarfangLab EDR #43