Detection rules › YARA-L
Recon Environment Enumeration System CISA Report
Detects system enumeration events as identified in CISA Living off the Land pdf. Alone they may be normal but in concert, they may be worth looking into
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Discovery | T1082 System Information Discovery |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
| Security-Auditing | Event ID 4688 | A new process has been created. |
Rule body yaral
/*
* Copyright 2023 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
rule recon_environment_enumeration_system_cisa_report {
meta:
author = "Google Cloud Security"
description = "Detects system enumeration events as identified in CISA Living off the Land pdf. Alone they may be normal but in concert, they may be worth looking into"
rule_id = "mr_086dede6-33ba-42df-b001-5595ceb0d589"
rule_name = "Recon Environment Enumeration System CISA Report"
type = "hunt"
platform = "Windows"
data_source = "microsoft sysmon, windows event logs"
tactic = "TA0007"
technique = "T1082"
reference = "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"
severity = "Low"
priority = "Low"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
$process.principal.hostname = $hostname
$process.target.process.command_line = $command_line
re.regex($process.target.process.command_line, `wevtutil.*qe.*security.*\/rd:true.*\/f:text.*\/q:.*\[System\[\(EventID`) nocase
// below is the more specific command down to the event id, could comment out the about and use this instead if desired
//re.regex($process.target.process.command_line, `wevtutil.*qe.*security.*\/rd:true.*\/f:text.*\/q:\*\[System\[\(EventID=4624\).*TimeCreated\[@SystemTime.*\]\].*EventData\[Data.*\]\]`) nocase
or
// cisa report referenced cmd /c in their report throughout, can filter this in/out for tuning as desired
// other wmic switches like /user and /password, these have been excluded to focus on the commands being issued since local access does not require these
(
re.regex($process.target.process.command_line, `(|cmd.*/c).*ldifde.exe.*-f.*-p.*subtree`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*reg.*query.*hklm\\software\\`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*systeminfo`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*tasklist.*\/v`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*whoami`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*wmic.*volume.*list.*brief`) nocase or
// cisa report called out wmic volume list brief, below is alternate that removed brief to widen criteria
//re.regex($process.target.process.command_line, `(|cmd.*/c).*wmic.*volume.*list`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*wmic.*service.*brief`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*wmic.*product.*list.*brief`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*wmic.*baseboard.*list.*full`) nocase or
re.regex($process.target.process.command_line, `(|cmd.*/c).*wmic.*path.*win32_logicaldisk.*get.*(caption|filesystem|freespace|size|volumename)`) nocase
)
match:
$hostname over 15m
outcome:
$risk_score = 35
$event_count = count_distinct($process.metadata.id)
$unique_command_line_threshold = max(5)
// added to populate alert graph with additional context
// Commented out principal.hostname because it is already represented in graph as match variable. If match changes, can uncomment to add to results
//$principal_hostname = array_distinct($process.principal.hostname)
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
condition:
// modify the condition value for command line to throttle how many of these commands can be issued until the rule is triggered
$process and #command_line > 5
}
Detection logic
Fires when at least one $process event in the 15m window and $command_line occurs more than 5 times in the 15m window.
Events
$process
target.process.command_line matches "wevtutil.*qe.*security.*\/rd:true.*\/f:text.*\/q:.*\[System\[\(EventID"target.process.command_line matches "(|cmd.*/c).*ldifde.exe.*-f.*-p.*subtree"target.process.command_line matches "(|cmd.*/c).*reg.*query.*hklm\\software\\"target.process.command_line matches "(|cmd.*/c).*systeminfo"target.process.command_line matches "(|cmd.*/c).*tasklist.*\/v"target.process.command_line matches "(|cmd.*/c).*whoami"target.process.command_line matches "(|cmd.*/c).*wmic.*volume.*list.*brief"target.process.command_line matches "(|cmd.*/c).*wmic.*service.*brief"target.process.command_line matches "(|cmd.*/c).*wmic.*product.*list.*brief"target.process.command_line matches "(|cmd.*/c).*wmic.*baseboard.*list.*full"target.process.command_line matches "(|cmd.*/c).*wmic.*path.*win32_logicaldisk.*get.*(caption|filesystem|freespace|size|volumename)"
Correlation
Outcome
Fields the detection emits on a match. $risk_score drives alerting; Chronicle surfaces the rest on the detection.
| Field | Expression |
|---|---|
risk_score | 35 |
event_count | count_distinct($process.metadata.id) |
unique_command_line_threshold | max(5) |
principal_process_pid | array_distinct($process.principal.process.pid) |
principal_process_command_line | array_distinct($process.principal.process.command_line) |
principal_process_file_sha256 | array_distinct($process.principal.process.file.sha256) |
principal_process_file_full_path | array_distinct($process.principal.process.file.full_path) |
principal_process_product_specific_process_id | array_distinct($process.principal.process.product_specific_process_id) |
principal_process_parent_process_product_specific_process_id | array_distinct($process.principal.process.parent_process.product_specific_process_id) |
target_process_pid | array_distinct($process.target.process.pid) |
target_process_command_line | array_distinct($process.target.process.command_line) |
target_process_file_sha256 | array_distinct($process.target.process.file.sha256) |
target_process_file_full_path | array_distinct($process.target.process.file.full_path) |
target_process_product_specific_process_id | array_distinct($process.target.process.product_specific_process_id) |
principal_user_userid | array_distinct($process.principal.user.userid) |