detection.wiki

Detection rules › YARA-L

Recon Credential Theft CISA Report

Severity
low
Type
hunt
Time window
15m
Match by
hostname
Author
Google Cloud Security
Source
github.com/chronicle/detection-rules

Detects suspicious credential access commands as identified in CISA Living off the Land pdf. Alone they may be normal but in concert, they may be worth looking into

MITRE ATT&CK coverage

TacticTechniques
Credential AccessT1555 Credentials from Password Stores

References

Event coverage

ProviderEventTitle
SysmonEvent ID 1Process creation
Security-AuditingEvent ID 4688A new process has been created.

Rule body yaral

/*
 * Copyright 2023 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

rule recon_credential_theft_cisa_report {

  meta:
    author = "Google Cloud Security"
    description = "Detects suspicious credential access commands as identified in CISA Living off the Land pdf. Alone they may be normal but in concert, they may be worth looking into"
    rule_id = "mr_90b80326-d559-4e82-b5da-613e5406127a"
    rule_name = "Recon Credential Theft CISA Report"
    type = "hunt"
    platform = "Windows"
    data_source = "microsoft sysmon"
    tactic = "TA0006"
    technique = "T1555"
    reference = "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"
    severity = "Low"
    priority = "Low"

  events:
    $process.metadata.event_type = "PROCESS_LAUNCH"
    $process.principal.hostname = $hostname
    $process.target.process.command_line = $command_line

    // cisa report referenced cmd /c in their report throughout, can filter this in/out for tuning as needed
    (
        re.regex($process.target.process.command_line, `(|cmd.*/c).*dir.*C:\\Users\\.*\\.ssh\\known_hosts`) nocase or
        re.regex($process.target.process.command_line, `(|cmd.*/c).*dir.*C:\\users\\.*\\appdata\\roaming\\Mozilla\\firefox\\profiles`) nocase or
        re.regex($process.target.process.command_line, `(|cmd.*/c).*mimikatz`) nocase or
        re.regex($process.target.process.command_line, `(|cmd.*/c).*reg.*query.*hklm\\software\\OpenSSH`) nocase or
        re.regex($process.target.process.command_line, `(|cmd.*/c).*reg.*query.*hklm\\software\\OpenSSH\\Agent`) nocase or
        re.regex($process.target.process.command_line, `(|cmd.*/c).*reg.*query.*hklm\\software\\realvnc`) nocase or
        re.regex($process.target.process.command_line, `(|cmd.*/c).*reg.*query.*hklm\\software\\realvnc\\vncserver`) nocase or
        re.regex($process.target.process.command_line, `(|cmd.*/c).*reg.*query.*hklm\\software\\realvnc\\Allusers`) nocase or
        re.regex($process.target.process.command_line, `(|cmd.*/c).*reg.*query.*hklm\\software\\realvnc\\Allusers\\vncserver`) nocase or
        re.regex($process.target.process.command_line, `(|cmd.*/c).*reg.*query.*hkcu\\software\\.*\\putty\\session`) nocase or
        re.regex($process.target.process.command_line, `(|cmd.*/c).*reg.*save.*hklm\\sam ss.dat`) nocase or
        re.regex($process.target.process.command_line, `(|cmd.*/c).*reg.*save.*hklm\\system sy.dat`) nocase
    )

  match:
    $hostname over 15m

  outcome:
    $risk_score = 35
    $event_count = count_distinct($process.metadata.id)
    $unique_command_line_threshold = max(5)
    // added to populate alert graph with additional context
    // Commented out principal.hostname because it is already represented in graph as match variable. If match changes, can uncomment to add to results
    //$principal_hostname = array_distinct($process.principal.hostname)
    $principal_process_pid = array_distinct($process.principal.process.pid)
    $principal_process_command_line = array_distinct($process.principal.process.command_line)
    $principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
    $principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
    $principal_process_product_specific_process_id = array_distinct($process.principal.process.product_specific_process_id)
    $principal_process_parent_process_product_specific_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
    $target_process_pid = array_distinct($process.target.process.pid)
    $target_process_command_line = array_distinct($process.target.process.command_line)
    $target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
    $target_process_file_full_path = array_distinct($process.target.process.file.full_path)
    $target_process_product_specific_process_id = array_distinct($process.target.process.product_specific_process_id)
    $principal_user_userid = array_distinct($process.principal.user.userid)

  condition:
    // modify the condition value for command line to throttle how many of these commands can be issued until the rule is triggered
    $process and #command_line > 5
}

Detection logic

Fires when at least one $process event in the 15m window and $command_line occurs more than 5 times in the 15m window.

Events

$process PROCESS_LAUNCH (1, 4688)

  • target.process.command_line matches "(|cmd.*/c).*dir.*C:\\Users\\.*\\.ssh\\known_hosts"
  • target.process.command_line matches "(|cmd.*/c).*dir.*C:\\users\\.*\\appdata\\roaming\\Mozilla\\firefox\\profiles"
  • target.process.command_line matches "(|cmd.*/c).*mimikatz"
  • target.process.command_line matches "(|cmd.*/c).*reg.*query.*hklm\\software\\OpenSSH"
  • target.process.command_line matches "(|cmd.*/c).*reg.*query.*hklm\\software\\OpenSSH\\Agent"
  • target.process.command_line matches "(|cmd.*/c).*reg.*query.*hklm\\software\\realvnc"
  • target.process.command_line matches "(|cmd.*/c).*reg.*query.*hklm\\software\\realvnc\\vncserver"
  • target.process.command_line matches "(|cmd.*/c).*reg.*query.*hklm\\software\\realvnc\\Allusers"
  • target.process.command_line matches "(|cmd.*/c).*reg.*query.*hklm\\software\\realvnc\\Allusers\\vncserver"
  • target.process.command_line matches "(|cmd.*/c).*reg.*query.*hkcu\\software\\.*\\putty\\session"
  • target.process.command_line matches "(|cmd.*/c).*reg.*save.*hklm\\sam ss.dat"
  • target.process.command_line matches "(|cmd.*/c).*reg.*save.*hklm\\system sy.dat"

Correlation

Match key
$hostname (principal.hostname)
Within
15m

Outcome

Fields the detection emits on a match. $risk_score drives alerting; Chronicle surfaces the rest on the detection.

FieldExpression
risk_score35
event_countcount_distinct($process.metadata.id)
unique_command_line_thresholdmax(5)
principal_process_pidarray_distinct($process.principal.process.pid)
principal_process_command_linearray_distinct($process.principal.process.command_line)
principal_process_file_sha256array_distinct($process.principal.process.file.sha256)
principal_process_file_full_patharray_distinct($process.principal.process.file.full_path)
principal_process_product_specific_process_idarray_distinct($process.principal.process.product_specific_process_id)
principal_process_parent_process_product_specific_process_idarray_distinct($process.principal.process.parent_process.product_specific_process_id)
target_process_pidarray_distinct($process.target.process.pid)
target_process_command_linearray_distinct($process.target.process.command_line)
target_process_file_sha256array_distinct($process.target.process.file.sha256)
target_process_file_full_patharray_distinct($process.target.process.file.full_path)
target_process_product_specific_process_idarray_distinct($process.target.process.product_specific_process_id)
principal_user_useridarray_distinct($process.principal.user.userid)