diff --git a/rules/windows/persistence_suspicious_com_hijack_registry.toml b/rules/windows/persistence_suspicious_com_hijack_registry.toml index 01620751981..cf4c7b3dee5 100644 --- a/rules/windows/persistence_suspicious_com_hijack_registry.toml +++ b/rules/windows/persistence_suspicious_com_hijack_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2022/02/14" +updated_date = "2022/04/20" [rule] author = ["Elastic"] @@ -14,6 +14,48 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Component Object Model Hijacking" +note = """## Triage and analysis + +### Investigating Component Object Model Hijacking + +Adversaries can insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means of persistence. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree). +- Identify the user account that performed the action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check for similar behavior in other hosts on the environment. +- Retrieve the file referenced in the registry and determine if it is malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - File and registry access, modification, and creation activities. + - Service creation and launch activities. + - Scheduled tasks creation. + - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of the file. + - Search for the existence and reputation of this file in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + +### False positive analysis + +- Some Microsoft executables will reference the LocalServer32 registry key value for the location of external COM objects. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement any temporary network rules, procedures, and segmentation required to contain the malware. + - Immediately block the IoCs identified. +- Remove and block malicious artifacts identified on the triage. +- Disable the involved accounts, or restrict their ability to log on remotely. +- Reset passwords for the user account and other potentially compromised accounts (email, services, CRMs, etc.). + + +## Config + +If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. +""" references = [ "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", ] @@ -26,7 +68,6 @@ type = "eql" query = ''' registry where - /* uncomment once length is stable length(bytes_written_string) > 0 and */ (registry.path : "HK*}\\InprocServer32\\" and registry.data.strings: ("scrobj.dll", "C:\\*\\scrobj.dll") and not registry.path : "*\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\*") or @@ -39,7 +80,13 @@ registry where not (process.executable : "?:\\Program Files*\\Veeam\\Backup and Replication\\Console\\veeam.backup.shell.exe" and registry.path : "HKEY_USERS\\S-1-5-21-*_Classes\\CLSID\\*\\LocalServer32\\") and /* not necessary but good for filtering privileged installations */ - user.domain != "NT AUTHORITY") + user.domain != "NT AUTHORITY" + ) and + /* removes false-positives generated by OneDrive and Teams */ + not process.name : ("OneDrive.exe","OneDriveSetup.exe","FileSyncConfig.exe","Teams.exe") and + /* Teams DLL loaded by regsvr */ + not (process.name: "regsvr32.exe" and + registry.data.strings : "*Microsoft.Teams.*.dll") '''