sigma
sigma copied to clipboard
SigmaHQ
Develop Sigma rules for Privilege Escalation in Windows Environment
- Research (slides): Hunting for Privilege Escalation in Windows Environment
- Author: Teymur Kheirkhabarov, @HeirhabarovT
- Type: Ready-made alerts (Kibana queries)
- Requirements: Create one Pull Request per Sigma rule
You can pick up some of the listed Kibana queries from the slides and develop Sigma rules out of them:
| Page | Sigma Rule ID / Link | Topic |
|---|---|---|
| 13 | None | Stored Credentials. Files |
| 16 | None | Stored Credentials. Files/registry |
| 20 | None | Service registry permissions weakness |
| 21 | 0f9c21f1-6a73-4b0e-9809-cb562cb8d981 | Service registry permissions weakness |
| 29 | d937b75f-a665-4480-88a5-2f20e9f9b22a | Weak service permissions |
| 34 | None | Unquoted service path |
| 37 | None | Modifiable service binary |
| 38 | None | Modifiable service binary |
| 43 | None | Privilege escalation via weak permissions. Accesschk tool usage |
| 48 | None | Always Install Elevated |
| 50 | None | Always Install Elevated |
| 58 | 8065b1b4-1778-4427-877f-6bf948b26d38 | Windows Kernel and 3rd-party drivers exploits. Token stealing |
| 61 | None | Token swapping, using Mimikatz driver |
| 67 | None | Abusing debug privilege. Code injection |
| 69 | None | Abusing debug privilege. Code injection |
| 74 | None | Abusing debug privilege. Create process with arbitrary parent |
| 85 | 6c5808ee-85a2-4e56-8137-72e5876a5096 | Privilege escalation from Service accounts to SYSTEM |
| 87 | None | Webshell/xp_cmdshell |
| 90 | 15619216-e993-4721-b590-4c520615a67d, 843544a7-56e0-4dcc-a44f-5cc266dd97d6 | Meterpreter or Cobalt Strike getsystem service installation/start |
| 95 | None | Abusing impersonation + debug privileges. Tokenvator |
| 96 | None | Generic detector of token swapping |
| 97 | 80167ada-7a12-41ed-b8e9-aa47195c66a1 | Run whoami as SYSTEM |
43, 48, 50
I have some questions on both 48 and 50:
- Page 48 is relying on chain of 2 events (event 1 then event 2), do you think it's better if we split this into 2 rules?
- For page 50, the second event is using ParentOfParent field, which i don't think it's a default Sysmon field. Should i transform this to a rule as is or skip it?
For 34, I don't think it will be possible to replicate the script section of the kibana query at this time using sigma and I don't think the query covers the situation completely so I'm going to skip it for now, but I'm open to feedback and suggestions if anyone has them.
@tas-kmanager:
43, 48, 50
I have some questions on both 48 and 50:
- Page 48 is relying on chain of 2 events (event 1 then event 2), do you think it's better if we split this into 2 rules?
- For page 50, the second event is using ParentOfParent field, which i don't think it's a default Sysmon field. Should i transform this to a rule as is or skip it?
Page 48: make sense to create a rule for rules-unsupported, improving the current situation with lack of examples for the new sigmac converter (which is under development). You are very welcome to do that (:
For page 50: you can add enrichment field to the rule with the following parameters:
enrichment:
- EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x
- EN_0002_enrich_sysmon_event_id_1_with_parent_info # http://bit.ly/2KmSC0l
as it was done for this rule. And then it's gonna fly (:
Page 48: make sense to create a rule for rules-unsupported, improving the current situation with lack of examples for the new sigmac converter (which is under development). You are very welcome to do that (:
For page 50: you can add
enrichmentfield to the rule with the following parameters:enrichment: - EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x - EN_0002_enrich_sysmon_event_id_1_with_parent_info # http://bit.ly/2KmSC0las it was done for this rule. And then it's gonna fly (:
Thanks for the guidance I will do both of your suggestions, never created unsupported or enrichment sigma before but i will try my best! The existing examples are helpful.
Follow up question for 48. I do have a rule that looks for Windows Installer service (msiexec.exe) when it tries to install MSI packages with SYSTEM privilege, do you think i should submit this rule?
Follow up question for 48. I do have a rule that looks for Windows Installer service (msiexec.exe) when it tries to install MSI packages with SYSTEM privilege, do you think i should submit this rule?
Hello @tas-kmanager! Yes, absolutely! Just make sure there is no such rule in the ruleset.
38 seems to intend that you use it with the results of 37 - I don't believe that is something supported by sigma, but I'm open to suggestions on how to implement that rule.
38 seems to intend that you use it with the results of 37 - I don't believe that is something supported by sigma, but I'm open to suggestions on how to implement that rule.
@ryanplasma Is it possible to implement with the enrichments, just like we did with here?
Need to be check before close
| Page | Sigma Rule ID / Link | Topic |
|---|---|---|
| 61 | Not possible | Token swapping, using Mimikatz driver |
| 67 | Not possible | Abusing debug privilege. Code injection |
| 69 | Not possible | Abusing debug privilege. Code injection |
| 74 | X | Abusing debug privilege. Create process with arbitrary parent |
| 95 | Not possible | Abusing impersonation + debug privileges. Tokenvator |
| 96 | Not possible | Generic detector of token swapping |
Some are Not possible because use logstash and memcached to create custom field
It got renamed :) If you simply search with the ID you'll find it https://github.com/SigmaHQ/sigma/blob/30979206a4741b6fc818fe6f2207715511cd050a/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml
