Detection rules › YARA-L

Recon Credential Theft CISA Report

Severity
low
Type
hunt
Time window
15m
Match by
hostname
Source
github.com/chronicle/detection-rules

Detects suspicious credential access commands as identified in CISA Living off the Land pdf. Alone they may be normal but in concert, they may be worth looking into

MITRE ATT&CK coverage

TacticTechniques
Credential AccessT1555 Credentials from Password Stores

References

Event coverage

Rule body yaral

/*
 * Copyright 2023 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

rule recon_credential_theft_cisa_report {

  meta:
    author = "Google Cloud Security"
    description = "Detects suspicious credential access commands as identified in CISA Living off the Land pdf. Alone they may be normal but in concert, they may be worth looking into"
    rule_id = "mr_90b80326-d559-4e82-b5da-613e5406127a"
    rule_name = "Recon Credential Theft CISA Report"
    type = "hunt"
    platform = "Windows"
    data_source = "microsoft sysmon"
    tactic = "TA0006"
    technique = "T1555"
    reference = "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"
    severity = "Low"
    priority = "Low"

  events:
    $process.metadata.event_type = "PROCESS_LAUNCH"
    $process.principal.hostname = $hostname
    $process.target.process.command_line = $command_line

    // cisa report referenced cmd /c in their report throughout, can filter this in/out for tuning as needed
    (
        re.regex($process.target.process.command_line, `(|cmd.*/c).*dir.*C:\\Users\\.*\\.ssh\\known_hosts`) nocase or
        re.regex($process.target.process.command_line, `(|cmd.*/c).*dir.*C:\\users\\.*\\appdata\\roaming\\Mozilla\\firefox\\profiles`) nocase or
        re.regex($process.target.process.command_line, `(|cmd.*/c).*mimikatz`) nocase or
        re.regex($process.target.process.command_line, `(|cmd.*/c).*reg.*query.*hklm\\software\\OpenSSH`) nocase or
        re.regex($process.target.process.command_line, `(|cmd.*/c).*reg.*query.*hklm\\software\\OpenSSH\\Agent`) nocase or
        re.regex($process.target.process.command_line, `(|cmd.*/c).*reg.*query.*hklm\\software\\realvnc`) nocase or
        re.regex($process.target.process.command_line, `(|cmd.*/c).*reg.*query.*hklm\\software\\realvnc\\vncserver`) nocase or
        re.regex($process.target.process.command_line, `(|cmd.*/c).*reg.*query.*hklm\\software\\realvnc\\Allusers`) nocase or
        re.regex($process.target.process.command_line, `(|cmd.*/c).*reg.*query.*hklm\\software\\realvnc\\Allusers\\vncserver`) nocase or
        re.regex($process.target.process.command_line, `(|cmd.*/c).*reg.*query.*hkcu\\software\\.*\\putty\\session`) nocase or
        re.regex($process.target.process.command_line, `(|cmd.*/c).*reg.*save.*hklm\\sam ss.dat`) nocase or
        re.regex($process.target.process.command_line, `(|cmd.*/c).*reg.*save.*hklm\\system sy.dat`) nocase
    )

  match:
    $hostname over 15m

  outcome:
    $risk_score = 35
    $event_count = count_distinct($process.metadata.id)
    $unique_command_line_threshold = max(5)
    // added to populate alert graph with additional context
    // Commented out principal.hostname because it is already represented in graph as match variable. If match changes, can uncomment to add to results
    //$principal_hostname = array_distinct($process.principal.hostname)
    $principal_process_pid = array_distinct($process.principal.process.pid)
    $principal_process_command_line = array_distinct($process.principal.process.command_line)
    $principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
    $principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
    $principal_process_product_specific_process_id = array_distinct($process.principal.process.product_specific_process_id)
    $principal_process_parent_process_product_specific_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
    $target_process_pid = array_distinct($process.target.process.pid)
    $target_process_command_line = array_distinct($process.target.process.command_line)
    $target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
    $target_process_file_full_path = array_distinct($process.target.process.file.full_path)
    $target_process_product_specific_process_id = array_distinct($process.target.process.product_specific_process_id)
    $principal_user_userid = array_distinct($process.principal.user.userid)

  condition:
    // modify the condition value for command line to throttle how many of these commands can be issued until the rule is triggered
    $process and #command_line > 5
}

Stages and Predicates

Stage 0: match + condition

match:
    $hostname over 15m
condition:
    $process and #command_line > 5

Fires when at least one $process event in the 15m window and $command_line occurs more than 5 times in the 15m window.

Stage 1: events: $process · PROCESS_LAUNCH

$process.metadata.event_type = "PROCESS_LAUNCH"
$process.principal.hostname = $hostname
$process.target.process.command_line = $command_line

// cisa report referenced cmd /c in their report throughout, can filter this in/out for tuning as needed
(
    re.regex($process.target.process.command_line, `(|cmd.*/c).*dir.*C:\\Users\\.*\\.ssh\\known_hosts`) nocase or
    re.regex($process.target.process.command_line, `(|cmd.*/c).*dir.*C:\\users\\.*\\appdata\\roaming\\Mozilla\\firefox\\profiles`) nocase or
    re.regex($process.target.process.command_line, `(|cmd.*/c).*mimikatz`) nocase or
    re.regex($process.target.process.command_line, `(|cmd.*/c).*reg.*query.*hklm\\software\\OpenSSH`) nocase or
    re.regex($process.target.process.command_line, `(|cmd.*/c).*reg.*query.*hklm\\software\\OpenSSH\\Agent`) nocase or
    re.regex($process.target.process.command_line, `(|cmd.*/c).*reg.*query.*hklm\\software\\realvnc`) nocase or
    re.regex($process.target.process.command_line, `(|cmd.*/c).*reg.*query.*hklm\\software\\realvnc\\vncserver`) nocase or
    re.regex($process.target.process.command_line, `(|cmd.*/c).*reg.*query.*hklm\\software\\realvnc\\Allusers`) nocase or
    re.regex($process.target.process.command_line, `(|cmd.*/c).*reg.*query.*hklm\\software\\realvnc\\Allusers\\vncserver`) nocase or
    re.regex($process.target.process.command_line, `(|cmd.*/c).*reg.*query.*hkcu\\software\\.*\\putty\\session`) nocase or
    re.regex($process.target.process.command_line, `(|cmd.*/c).*reg.*save.*hklm\\sam ss.dat`) nocase or
    re.regex($process.target.process.command_line, `(|cmd.*/c).*reg.*save.*hklm\\system sy.dat`) nocase
)

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
target.process.command_lineregex_match
  • (|cmd.*/c).*dir.*C:\Users\.*\.ssh\known_hosts transforms: nocase
  • (|cmd.*/c).*dir.*C:\users\.*\appdata\roaming\Mozilla\firefox\profiles transforms: nocase
  • (|cmd.*/c).*mimikatz transforms: nocase
  • (|cmd.*/c).*reg.*query.*hkcu\software\.*\putty\session transforms: nocase
  • (|cmd.*/c).*reg.*query.*hklm\software\OpenSSH transforms: nocase
  • (|cmd.*/c).*reg.*query.*hklm\software\OpenSSH\Agent transforms: nocase
  • (|cmd.*/c).*reg.*query.*hklm\software\realvnc transforms: nocase
  • (|cmd.*/c).*reg.*query.*hklm\software\realvnc\Allusers transforms: nocase
  • (|cmd.*/c).*reg.*query.*hklm\software\realvnc\Allusers\vncserver transforms: nocase
  • (|cmd.*/c).*reg.*query.*hklm\software\realvnc\vncserver transforms: nocase
  • (|cmd.*/c).*reg.*save.*hklm\sam ss.dat transforms: nocase
  • (|cmd.*/c).*reg.*save.*hklm\system sy.dat transforms: nocase

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

FieldSource
risk_score35
event_countcount_distinct($process.metadata.id)
unique_command_line_thresholdmax(5)
principal_process_pidarray_distinct($process.principal.process.pid)
principal_process_command_linearray_distinct($process.principal.process.command_line)
principal_process_file_sha256array_distinct($process.principal.process.file.sha256)
principal_process_file_full_patharray_distinct($process.principal.process.file.full_path)
principal_process_product_specific_process_idarray_distinct($process.principal.process.product_specific_process_id)
principal_process_parent_process_product_specific_process_idarray_distinct($process.principal.process.parent_process.product_specific_process_id)
target_process_pidarray_distinct($process.target.process.pid)
target_process_command_linearray_distinct($process.target.process.command_line)
target_process_file_sha256array_distinct($process.target.process.file.sha256)
target_process_file_full_patharray_distinct($process.target.process.file.full_path)
target_process_product_specific_process_idarray_distinct($process.target.process.product_specific_process_id)
principal_user_useridarray_distinct($process.principal.user.userid)