Detection rules › YARA-L
Recon Environment Enumeration Network CISA Report
Detects network enumeration commands as identified in CISA Living off the Land pdf. Alone they may be normal but in concert, they may be worth looking into
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Discovery | T1016 System Network Configuration Discovery |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
| Sysmon | Event ID 22 | DNSEvent (DNS query) |
| Security-Auditing | Event ID 4688 | A new process has been created. |
Rule body yaral
/*
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
rule recon_environment_enumeration_network_cisa_report {
meta:
author = "Google Cloud Security"
description = "Detects network enumeration commands as identified in CISA Living off the Land pdf. Alone they may be normal but in concert, they may be worth looking into"
rule_id = "mr_9ca49a46-fb60-4ada-b722-5714d5cb7f53"
rule_name = "Recon Environment Enumeration Network CISA Report"
type = "hunt"
platform = "Windows"
data_source = "microsoft sysmon, windows event logs"
tactic = "TA0007"
technique = "T1016"
reference = "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"
severity = "Low"
priority = "Low"
events:
(
$process.metadata.event_type = "PROCESS_LAUNCH" and
(
// cisa report referenced cmd /c in their report throughout, can filter this in/out for tuning as needed
re.regex($process.target.process.command_line, `(|cmd.*/c).*arp.*-a`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*curl.*www.ip-api.com`) nocase or
// the following line is a broader look at dnscmd /enumrecords not explicitly called out in the report can comment out if not needed
//re.regex($process.target.process.command_line, `(|cmd.*/c).*dnscmd.*/enumrecords`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*dnscmd.*/enumrecords.*/zone`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*dnscmd.*/enumzones`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*dnscmd.*/enumrecords.*/additional`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*ipconfig.*/all`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*netsh.*interface.*firewall.*show`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*netsh.*interface.*portproxy.*show`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*netsh.*interface.*portproxy.*show.*v4tov4`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*netsh.*firewall.*show`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*netsh.*portproxy.*show.*v4tov4`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*netstat.*-ano`) nocase
)
)
or
(
// C2 like Covenant will mask curl command running from PowerShell; added this to detect DNS lookup for this site as another method to identify
$process.metadata.event_type = "NETWORK_DNS" and
$process.network.application_protocol = "DNS" and
$process.network.dns.questions.name = "www.ip-api.com"
)
$process.principal.hostname = $hostname
$process.target.process.command_line = $command_line
match:
$hostname over 15m
outcome:
$risk_score = 35
$event_count = count_distinct($process.metadata.id)
$unique_command_line_threshold = 5
// added to populate alert graph with additional context
// Commented out principal.hostname because it is already represented in graph as match variable. If match changes, can uncomment to add to results
//$principal_hostname = array_distinct($process.principal.hostname)
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
condition:
// modify the condition value for command line to throttle how many of these commands can be issued until the rule is triggered
$process and #command_line > 5
}
Detection logic
Fires when at least one $process event in the 15m window and $command_line occurs more than 5 times in the 15m window.
Events
$process
target.process.command_line matches "(|cmd.*/c).*arp.*-a"target.process.command_line matches "(|cmd.*/c).*curl.*www.ip-api.com"target.process.command_line matches "(|cmd.*/c).*dnscmd.*/enumrecords.*/zone"target.process.command_line matches "(|cmd.*/c).*dnscmd.*/enumzones"target.process.command_line matches "(|cmd.*/c).*dnscmd.*/enumrecords.*/additional"target.process.command_line matches "(|cmd.*/c).*ipconfig.*/all"target.process.command_line matches "(|cmd.*/c).*netsh.*interface.*firewall.*show"target.process.command_line matches "(|cmd.*/c).*netsh.*interface.*portproxy.*show"target.process.command_line matches "(|cmd.*/c).*netsh.*interface.*portproxy.*show.*v4tov4"target.process.command_line matches "(|cmd.*/c).*netsh.*firewall.*show"target.process.command_line matches "(|cmd.*/c).*netsh.*portproxy.*show.*v4tov4"target.process.command_line matches "(|cmd.*/c).*netstat.*-ano"network.application_protocol = "DNS"network.dns.questions.name = "www.ip-api.com"
Correlation
Outcome
Fields the detection emits on a match. $risk_score drives alerting; Chronicle surfaces the rest on the detection.
| Field | Expression |
|---|---|
risk_score | 35 |
event_count | count_distinct($process.metadata.id) |
unique_command_line_threshold | 5 |
principal_process_pid | array_distinct($process.principal.process.pid) |
principal_process_command_line | array_distinct($process.principal.process.command_line) |
principal_process_file_sha256 | array_distinct($process.principal.process.file.sha256) |
principal_process_file_full_path | array_distinct($process.principal.process.file.full_path) |
principal_process_product_specific_process_id | array_distinct($process.principal.process.product_specific_process_id) |
principal_process_parent_process_product_specific_process_id | array_distinct($process.principal.process.parent_process.product_specific_process_id) |
target_process_pid | array_distinct($process.target.process.pid) |
target_process_command_line | array_distinct($process.target.process.command_line) |
target_process_file_sha256 | array_distinct($process.target.process.file.sha256) |
target_process_file_full_path | array_distinct($process.target.process.file.full_path) |
target_process_product_specific_process_id | array_distinct($process.target.process.product_specific_process_id) |
principal_user_userid | array_distinct($process.principal.user.userid) |