Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Elastalert with Sigma

Published: 2020-07-01
Last Updated: 2020-07-01 02:01:54 UTC
by Tom Webb (Version: 1)
0 comment(s)

A couple of weeks ago, Remco wrote a post about Sigma(1). I’ve also been spending a good bit of time setting up Elastalert rules with Sigma and wanted to expand on his great post. We are going to set up an elastalert rule for sigma_zeek_smb_converted_win_atsvc_task(2).

 

Convert Rule

Sigmac -t elastalert -c ./elastic_schema_config_file.yml /tmp/sigma/rules/sigma_zeek_smb_converted_win_atsvc_task >>/etc/elastalert/rules/sigma_zeek_smb_converted_win_atsvc_task.yml


 

Let's see what this rule is doing

This rule is looking at the bro_smb_files events where IPC$ and atsvc show up.

 

alert:

- debug

description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe

filter:

- query:

    query_string:

      query: (event_type:"bro_smb_files" AND path.keyword:\\*\\IPC$ AND name:"atsvc")

index: '*:logstash-bro-*'

name: f6de6525-4509-495a-8a82-1f8b0ed73a00_0

priority: 3

realert:

  minutes: 0

type: any

 

query_key: ["source_ip", "destination_ip"]


 

Test it

On Security onion they have a command builtin called so-elastalert-test. 

#sudo so-elastalert-test -r /etc/elastalert/rules/sigma_zeek_smb_converted_win_atsvc_task.yml

 

1. Is the query running too slow?

2. Is it looking at the right data?

3. Are the results as expected?

 

elastalert_status - {'rule_name': '66a0bdc6-ee04-441a-9125-99d2eb547942_0', 'endtime': datetime.datetime(2020, 5, 29, 14, 51, 13, 474764, tzinfo=tzutc()), 'starttime': datetime.datetime(2020, 5, 28, 14, 51, 13, 474764, tzinfo=tzutc()), 'matches': 0, 'hits': 183990, '@timestamp': datetime.datetime(2020, 5, 29, 14, 53, 2, 609529, tzinfo=tzutc()), 'time_taken': 109.09370565414429}

 

If you are not getting any hits for the rule, expand the search to see if you have any true/false positives. On security onion manually, call the rule test and use the --days option. 

 

#docker exec -it so-elastalert bash -c ‘elastalert-test-rule /etc/elastalert/rules/sigma_zeek_smb_converted_win_atsvc_task.yml --days 25’

 

You may have false positives from your administrator's desktops talking to other systems, and you will need to adjust the alert to not match on these IP’s. Once you are happy with the results, we need to add it to our alert/IR platform. In this case, we are going to send it to TheHive.

 

At the bottom of sigma_zeek_smb_converted_win_atsvc_task.yml you want to add TheHive config. The MITRE Tags are not being transferred to the elastalert rule, and we’ll add them manually.

 

===

hive_connection:

  hive_host: https://ip

  hive_port: 9443

  hive_apikey:key

 

hive_alert_config:

  title: ' Sigma Remote Task Creation via ATSVC Named Pipe {match[source_ip]} -- {match[destination_ip]}'

  type: 'alarm'

  source: 'Sigma'

  description: 'Alert : {match[source_ip]}

  severity:2

  tags: ['elastalert', 'attack.lateral_movement', 'attack.persistence', 'attack.t1053','car.2013-05-004','car.2015-04-001', 'sigma']

  tlp: 1

  status: 'New'

  follow: True

  sourceRef: '{match[source_ip]}{match[destination_ip]}'

 

hive_observable_data_mapping:

  - ip: '{match[source_ip]}'

  - ip: '{match[destination_ip]}'

===

 

Now restart elastalert service and you should start getting alerts on any of these matches.

#so-elastalert-restart


 

(1)https://isc.sans.edu/diary/rss/26258

(2)https://github.com/Neo23x0/sigma/blob/master/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml

 

Keywords:
0 comment(s)
Diary Archives