Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Elastalert with Sigma SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Elastalert with Sigma

A couple of weeks ago, Remco wrote a post about Sigma(1). I’ve also been spending a good bit of time setting up Elastalert rules with Sigma and wanted to expand on his great post. We are going to set up an elastalert rule for sigma_zeek_smb_converted_win_atsvc_task(2).

 

Convert Rule

Sigmac -t elastalert -c ./elastic_schema_config_file.yml /tmp/sigma/rules/sigma_zeek_smb_converted_win_atsvc_task >>/etc/elastalert/rules/sigma_zeek_smb_converted_win_atsvc_task.yml


 

Let's see what this rule is doing

This rule is looking at the bro_smb_files events where IPC$ and atsvc show up.

 

alert:

- debug

description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe

filter:

- query:

    query_string:

      query: (event_type:"bro_smb_files" AND path.keyword:\\*\\IPC$ AND name:"atsvc")

index: '*:logstash-bro-*'

name: f6de6525-4509-495a-8a82-1f8b0ed73a00_0

priority: 3

realert:

  minutes: 0

type: any

 

query_key: ["source_ip", "destination_ip"]


 

Test it

On Security onion they have a command builtin called so-elastalert-test. 

#sudo so-elastalert-test -r /etc/elastalert/rules/sigma_zeek_smb_converted_win_atsvc_task.yml

 

1. Is the query running too slow?

2. Is it looking at the right data?

3. Are the results as expected?

 

elastalert_status - {'rule_name': '66a0bdc6-ee04-441a-9125-99d2eb547942_0', 'endtime': datetime.datetime(2020, 5, 29, 14, 51, 13, 474764, tzinfo=tzutc()), 'starttime': datetime.datetime(2020, 5, 28, 14, 51, 13, 474764, tzinfo=tzutc()), 'matches': 0, 'hits': 183990, '@timestamp': datetime.datetime(2020, 5, 29, 14, 53, 2, 609529, tzinfo=tzutc()), 'time_taken': 109.09370565414429}

 

If you are not getting any hits for the rule, expand the search to see if you have any true/false positives. On security onion manually, call the rule test and use the --days option. 

 

#docker exec -it so-elastalert bash -c ‘elastalert-test-rule /etc/elastalert/rules/sigma_zeek_smb_converted_win_atsvc_task.yml --days 25’

 

You may have false positives from your administrator's desktops talking to other systems, and you will need to adjust the alert to not match on these IP’s. Once you are happy with the results, we need to add it to our alert/IR platform. In this case, we are going to send it to TheHive.

 

At the bottom of sigma_zeek_smb_converted_win_atsvc_task.yml you want to add TheHive config. The MITRE Tags are not being transferred to the elastalert rule, and we’ll add them manually.

 

===

hive_connection:

  hive_host: https://ip

  hive_port: 9443

  hive_apikey:key

 

hive_alert_config:

  title: ' Sigma Remote Task Creation via ATSVC Named Pipe {match[source_ip]} -- {match[destination_ip]}'

  type: 'alarm'

  source: 'Sigma'

  description: 'Alert : {match[source_ip]}

  severity:2

  tags: ['elastalert', 'attack.lateral_movement', 'attack.persistence', 'attack.t1053','car.2013-05-004','car.2015-04-001', 'sigma']

  tlp: 1

  status: 'New'

  follow: True

  sourceRef: '{match[source_ip]}{match[destination_ip]}'

 

hive_observable_data_mapping:

  - ip: '{match[source_ip]}'

  - ip: '{match[destination_ip]}'

===

 

Now restart elastalert service and you should start getting alerts on any of these matches.

#so-elastalert-restart


 

(1)https://isc.sans.edu/diary/rss/26258

(2)https://github.com/Neo23x0/sigma/blob/master/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml

 

Tom

58 Posts
ISC Handler
Jul 1st 2020

Sign Up for Free or Log In to start participating in the conversation!