From 137067fa2d040d24b56f4f1770c9dcb8ceb70f92 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Fri, 19 Jul 2024 13:54:38 -0300 Subject: [PATCH 1/3] [New Rule] Potential WSUS Abuse for Lateral Movement --- .../lateral_movement_via_wsus_update.toml | 70 +++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 rules/windows/lateral_movement_via_wsus_update.toml diff --git a/rules/windows/lateral_movement_via_wsus_update.toml b/rules/windows/lateral_movement_via_wsus_update.toml new file mode 100644 index 00000000000..54bc694a3e9 --- /dev/null +++ b/rules/windows/lateral_movement_via_wsus_update.toml @@ -0,0 +1,70 @@ +[metadata] +creation_date = "2024/07/19" +integration = ["endpoint", "windows", "system","sentinel_one_cloud_funnel", "m365_defender"] +maturity = "production" +updated_date = "2024/07/19" + +[rule] +author = ["Elastic"] +description = """ +Identifies a potential Windows Server Update Services (WSUS) abuse to execute attackers payloads for lateral movement. +WSUS is limited to execute Microsoft signed binaries, which limits the executables that can be used to tools published +by microsoft or Windows native executables. +""" +from = "now-9m" +index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-system.security-*"] +language = "eql" +license = "Elastic License v2" +name = "Potential WSUS Abuse for Lateral Movement" +references = ["https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wsus-spoofing"] +risk_score = 21 +rule_id = "8e2485b6-a74f-411b-bf7f-38b819f3a846" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon", + "Data Source: Microsoft Defender for Endpoint" +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and process.parent.name : "wuauclt.exe" and +process.executable : "?:\\Windows\\SoftwareDistribution\\Download\\Install\\*" and +( + process.name : ( + "cmd.exe", "cscript.exe", "ieexec.exe", "iexpress.exe", "installutil.exe", "Microsoft.Workflow.Compiler.exe", + "msbuild.exe", "mshta.exe", "msiexec.exe", "msxsl.exe", "net.exe", "net1.exe", "powershell.exe", "pwsh.exe", + "reg.exe", "RegAsm.exe", "RegSvcs.exe", "regsvr32.exe", "rundll32.exe", "vssadmin.exe", "wbadmin.exe", + "wmic.exe", "wscript.exe", "bitsadmin.exe", "certutil.exe", "schtasks.exe", "cmstp.exe", "sc.exe", "curl.exe", + "ScriptRunner.exe", "Workfolders.exe", "psexec64.exe" + ) or + ?process.pe.original_file_name : ( + "cmd.exe", "cscript.exe", "ieexec.exe", "iexpress.exe", "installutil.exe", "Microsoft.Workflow.Compiler.exe", + "msbuild.exe", "mshta.exe", "msiexec.exe", "msxsl.exe", "net.exe", "net1.exe", "powershell.exe", "pwsh.dll", + "reg.exe", "RegAsm.exe", "RegSvcs.exe", "regsvr32.exe", "rundll32.exe", "vssadmin.exe", "wbadmin.exe", + "wmic.exe", "wscript.exe", "bitsadmin.exe", "certutil.exe", "schtasks.exe", "cmstp.exe", "sc.exe", "curl.exe", + "ScriptRunner.exe", "Workfolders.exe", "sctasks.exe", "psexec.c" + ) +) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1210" +name = "Exploitation of Remote Services" +reference = "https://attack.mitre.org/techniques/T1210/" + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + From 2d4d8a50eae73d914ce7b1c0d406a6f30559cba0 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Fri, 19 Jul 2024 13:58:00 -0300 Subject: [PATCH 2/3] Update lateral_movement_via_wsus_update.toml --- rules/windows/lateral_movement_via_wsus_update.toml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/windows/lateral_movement_via_wsus_update.toml b/rules/windows/lateral_movement_via_wsus_update.toml index 54bc694a3e9..6a83abb990f 100644 --- a/rules/windows/lateral_movement_via_wsus_update.toml +++ b/rules/windows/lateral_movement_via_wsus_update.toml @@ -7,9 +7,9 @@ updated_date = "2024/07/19" [rule] author = ["Elastic"] description = """ -Identifies a potential Windows Server Update Services (WSUS) abuse to execute attackers payloads for lateral movement. -WSUS is limited to execute Microsoft signed binaries, which limits the executables that can be used to tools published -by microsoft or Windows native executables. +Identifies a potential Windows Server Update Services (WSUS) abuse to execute attackers' payloads for lateral movement. +WSUS is limited to executing Microsoft signed binaries, which limits the executables that can be used to tools published +by Microsoft or Windows native executables. """ from = "now-9m" index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-system.security-*"] @@ -28,6 +28,7 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", + "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint" ] timestamp_override = "event.ingested" From 53a2bffd5eb18d57da74d3403c01c8eca713fb35 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Mon, 22 Jul 2024 14:25:05 -0300 Subject: [PATCH 3/3] Update lateral_movement_via_wsus_update.toml --- .../lateral_movement_via_wsus_update.toml | 25 ++++--------------- 1 file changed, 5 insertions(+), 20 deletions(-) diff --git a/rules/windows/lateral_movement_via_wsus_update.toml b/rules/windows/lateral_movement_via_wsus_update.toml index 6a83abb990f..007ac47ee42 100644 --- a/rules/windows/lateral_movement_via_wsus_update.toml +++ b/rules/windows/lateral_movement_via_wsus_update.toml @@ -7,9 +7,9 @@ updated_date = "2024/07/19" [rule] author = ["Elastic"] description = """ -Identifies a potential Windows Server Update Services (WSUS) abuse to execute attackers' payloads for lateral movement. +Identifies a potential Windows Server Update Services (WSUS) abuse to execute psexec to enable for lateral movement. WSUS is limited to executing Microsoft signed binaries, which limits the executables that can be used to tools published -by Microsoft or Windows native executables. +by Microsoft. """ from = "now-9m" index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-system.security-*"] @@ -17,9 +17,9 @@ language = "eql" license = "Elastic License v2" name = "Potential WSUS Abuse for Lateral Movement" references = ["https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wsus-spoofing"] -risk_score = 21 +risk_score = 47 rule_id = "8e2485b6-a74f-411b-bf7f-38b819f3a846" -severity = "low" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Windows", @@ -37,22 +37,7 @@ type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and process.parent.name : "wuauclt.exe" and process.executable : "?:\\Windows\\SoftwareDistribution\\Download\\Install\\*" and -( - process.name : ( - "cmd.exe", "cscript.exe", "ieexec.exe", "iexpress.exe", "installutil.exe", "Microsoft.Workflow.Compiler.exe", - "msbuild.exe", "mshta.exe", "msiexec.exe", "msxsl.exe", "net.exe", "net1.exe", "powershell.exe", "pwsh.exe", - "reg.exe", "RegAsm.exe", "RegSvcs.exe", "regsvr32.exe", "rundll32.exe", "vssadmin.exe", "wbadmin.exe", - "wmic.exe", "wscript.exe", "bitsadmin.exe", "certutil.exe", "schtasks.exe", "cmstp.exe", "sc.exe", "curl.exe", - "ScriptRunner.exe", "Workfolders.exe", "psexec64.exe" - ) or - ?process.pe.original_file_name : ( - "cmd.exe", "cscript.exe", "ieexec.exe", "iexpress.exe", "installutil.exe", "Microsoft.Workflow.Compiler.exe", - "msbuild.exe", "mshta.exe", "msiexec.exe", "msxsl.exe", "net.exe", "net1.exe", "powershell.exe", "pwsh.dll", - "reg.exe", "RegAsm.exe", "RegSvcs.exe", "regsvr32.exe", "rundll32.exe", "vssadmin.exe", "wbadmin.exe", - "wmic.exe", "wscript.exe", "bitsadmin.exe", "certutil.exe", "schtasks.exe", "cmstp.exe", "sc.exe", "curl.exe", - "ScriptRunner.exe", "Workfolders.exe", "sctasks.exe", "psexec.c" - ) -) +(process.name : "psexec64.exe" or ?process.pe.original_file_name : "psexec.c") '''