[New Rule] Complementary Rules for Recent REvil TTPs (elastic#1329)

* [New Rule] Complementary Rules for Recent REvil TTPs

* added OFN

* relinted and added T1574.002

* removed new line

* Update defense_evasion_disabling_windows_defender_powershell.toml

* corrected rule name

* added a reference url

* Update rules/windows/defense_evasion_disabling_windows_defender_powershell.toml

Co-authored-by: Andrew Pease <[email protected]>

* Update rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml

Co-authored-by: Andrew Pease <[email protected]>

* Update rules/windows/defense_evasion_execution_windefend_unusual_path.toml

Co-authored-by: Andrew Pease <[email protected]>

* Update rules/windows/defense_evasion_execution_windefend_unusual_path.toml

Co-authored-by: Andrew Pease <[email protected]>

Co-authored-by: Andrew Pease <[email protected]>

Author: Samirbous

rules/windows/defense_evasion_disabling_windows_defender_powershell.toml

@@ -0,0 +1,48 @@
+[metadata]
+creation_date = "2021/07/07"
+maturity = "production"
+updated_date = "2021/07/07"
+
+[rule]
+author = ["Elastic"]
+description = "Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings."
+false_positives = ["Planned Windows Defender configuration changes."]
+from = "now-9m"
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Disabling Windows Defender Security Settings via PowerShell"
+references = [
+    "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps",
+]
+risk_score = 47
+rule_id = "c8cccb06-faf2-4cd5-886e-2c9636cfcb87"
+severity = "medium"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where event.type == "start" and
+ (process.name : ("powershell.exe", "pwsh.exe") or process.pe.original_file_name == "PowerShell.EXE") and
+ process.args : "Set-MpPreference" and process.args : ("-Disable*", "Disabled", "NeverSend", "-Exclusion*")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1562"
+reference = "https://attack.mitre.org/techniques/T1562/"
+name = "Impair Defenses"
+[[rule.threat.technique.subtechnique]]
+id = "T1562.001"
+reference = "https://attack.mitre.org/techniques/T1562/001/"
+name = "Disable or Modify Tools"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+name = "Defense Evasion"

rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml

@@ -0,0 +1,48 @@
+[metadata]
+creation_date = "2021/07/07"
+maturity = "production"
+updated_date = "2021/07/07"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to
+weaken the host firewall settings.
+"""
+false_positives = ["Host Windows Firewall planned system administration changes."]
+from = "now-9m"
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Enable Host Network Discovery via Netsh"
+risk_score = 47
+rule_id = "8b4f0816-6a65-4630-86a6-c21c179c0d09"
+severity = "medium"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where event.type == "start" and
+process.name : "netsh.exe" and
+process.args : ("firewall", "advfirewall") and process.args : "group=Network Discovery" and process.args : "enable=Yes"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+reference = "https://attack.mitre.org/techniques/T1562/"
+id = "T1562"
+name = "Impair Defenses"
+[[rule.threat.technique.subtechnique]]
+reference = "https://attack.mitre.org/techniques/T1562/001/"
+id = "T1562.001"
+name = "Disable or Modify Tools"
+
+
+
+[rule.threat.tactic]
+reference = "https://attack.mitre.org/tactics/TA0005/"
+id = "TA0005"
+name = "Defense Evasion"

rules/windows/defense_evasion_execution_windefend_unusual_path.toml

@@ -0,0 +1,54 @@
+[metadata]
+creation_date = "2021/07/07"
+maturity = "production"
+updated_date = "2021/07/07"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking
+starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade
+defenses via side-loading a malicious DLL within the memory space of one of those processes.
+"""
+false_positives = ["Microsoft Antimalware Service Executable installed on non default installation path."]
+from = "now-9m"
+index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential DLL Side-Loading via Microsoft Antimalware Service Executable"
+references = [
+    "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/",
+]
+risk_score = 73
+rule_id = "053a0387-f3b5-4ba5-8245-8002cca2bd08"
+severity = "high"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where event.type == "start" and
+  (process.pe.original_file_name == "MsMpEng.exe" and not process.name : "MsMpEng.exe") or
+  (process.name : "MsMpEng.exe" and not
+        process.executable : ("?:\\ProgramData\\Microsoft\\Windows Defender\\*.exe",
+                              "?:\\Program Files\\Windows Defender\\*.exe",
+                              "?:\\Program Files (x86)\\Windows Defender\\*.exe"))
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1574"
+name = "Hijack Execution Flow"
+reference = "https://attack.mitre.org/techniques/T1574/"
+[[rule.threat.technique.subtechnique]]
+id = "T1574.002"
+name = "DLL Side-Loading"
+reference = "https://attack.mitre.org/techniques/T1574/002/"
+
+
+[rule.threat.tactic]
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+id = "TA0005"