nldcsc-elastic-rules 0.0.8__py3-none-any.whl

nldcsc_elastic_rules/rules/windows/persistence_app_compat_shim.toml

@@ -0,0 +1,117 @@
+[metadata]
+creation_date = "2020/09/02"
+integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
+maturity = "production"
+updated_date = "2025/08/26"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been
+abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.
+"""
+from = "now-9m"
+index = [
+    "logs-endpoint.events.registry-*",
+    "winlogbeat-*",
+    "logs-windows.sysmon_operational-*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
+    "endgame-*",
+    "logs-crowdstrike.fdr*",
+]
+language = "eql"
+license = "Elastic License v2"
+name = "Installation of Custom Shim Databases"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Installation of Custom Shim Databases
+
+Application Compatibility Shim databases are used in Windows to ensure older applications run smoothly on newer OS versions by applying compatibility fixes. However, attackers can exploit this feature to maintain persistence and execute arbitrary code by installing malicious shim databases. The detection rule identifies changes in specific registry paths associated with these databases, excluding known legitimate processes, to flag potential abuse.
+
+### Possible investigation steps
+
+- Review the registry path changes identified in the alert to confirm the presence of any unexpected or unauthorized .sdb files in the specified registry paths.
+- Investigate the process that made the registry change by examining the process executable path and comparing it against the list of known legitimate processes excluded in the query.
+- Check the historical activity of the process responsible for the change to identify any patterns or anomalies that might indicate malicious behavior.
+- Analyze the context around the time of the registry change, including other system events or alerts, to identify any related suspicious activities.
+- If a suspicious .sdb file is found, conduct a file analysis to determine its purpose and whether it contains any malicious code or configurations.
+- Consult threat intelligence sources to see if there are any known threats or campaigns associated with the identified process or .sdb file.
+
+### False positive analysis
+
+- Known legitimate processes such as SAP and Kaspersky applications may trigger false positives due to their use of shim databases. These processes are already excluded in the detection rule to minimize unnecessary alerts.
+- If additional legitimate applications are identified as causing false positives, users can update the exclusion list by adding the specific process executable paths to the rule.
+- Regularly review and update the exclusion list to ensure it reflects the current environment and any new legitimate applications that may use shim databases.
+- Monitor the frequency and context of alerts to distinguish between benign and potentially malicious activities, adjusting the rule as necessary to reduce noise.
+- Engage with application owners to verify the legitimacy of processes that frequently trigger alerts, ensuring that only trusted applications are excluded.
+
+### Response and remediation
+
+- Immediately isolate the affected system from the network to prevent further propagation or communication with potential command and control servers.
+- Terminate any suspicious processes identified as responsible for the installation of the custom shim database, ensuring they are not legitimate processes mistakenly flagged.
+- Remove the malicious shim database entries from the registry paths specified in the detection query to eliminate persistence mechanisms.
+- Conduct a thorough scan of the affected system using updated antivirus and endpoint detection tools to identify and remove any additional malware or unauthorized changes.
+- Review and restore any altered system configurations or files to their original state to ensure system integrity.
+- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.
+- Implement enhanced monitoring and logging for the specified registry paths and associated processes to detect and respond to similar threats in the future."""
+risk_score = 47
+rule_id = "c5ce48a6-7f57-4ee8-9313-3d0024caee10"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Persistence",
+    "Data Source: Elastic Defend",
+    "Data Source: Sysmon",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: SentinelOne",
+    "Data Source: Elastic Endgame",
+    "Data Source: Crowdstrike",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+registry where host.os.type == "windows" and event.type == "change" and
+  registry.path : "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb" and
+  not process.executable : (
+        "?:\\Program Files (x86)\\DesktopCentral_Agent\\*\\Setup\\NwSapSetup.exe",
+        "?:\\$WINDOWS.~BT\\Sources\\SetupPlatform.exe",
+        "?:\\Program Files (x86)\\SAP\\SAPsetup\\setup\\NwSapSetup.exe",
+        "?:\\Program Files (x86)\\SAP\\SapSetup\\OnRebootSvc\\NWSAPSetupOnRebootInstSvc.exe",
+        "?:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Security for Windows Server\\kavfs.exe",
+
+        /* Crowdstrike specific exclusion as it uses NT Object paths */
+        "\\Device\\HarddiskVolume*\\Program Files (x86)\\DesktopCentral_Agent\\*\\Setup\\NwSapSetup.exe",
+        "\\Device\\HarddiskVolume*\\$WINDOWS.~BT\\Sources\\SetupPlatform.exe",
+        "\\Device\\HarddiskVolume*\\Program Files (x86)\\SAP\\SAPsetup\\setup\\NwSapSetup.exe",
+        "\\Device\\HarddiskVolume*\\Program Files (x86)\\SAP\\SapSetup\\OnRebootSvc\\NWSAPSetupOnRebootInstSvc.exe",
+        "\\Device\\HarddiskVolume*\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Security for Windows Server\\kavfs.exe"
+  )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1546"
+name = "Event Triggered Execution"
+reference = "https://attack.mitre.org/techniques/T1546/"
+[[rule.threat.technique.subtechnique]]
+id = "T1546.011"
+name = "Application Shimming"
+reference = "https://attack.mitre.org/techniques/T1546/011/"
+
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+

nldcsc_elastic_rules/rules/windows/persistence_appcertdlls_registry.toml

@@ -0,0 +1,121 @@
+[metadata]
+creation_date = "2020/11/18"
+integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
+maturity = "production"
+updated_date = "2025/08/26"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every
+process using the common API functions to create processes.
+"""
+from = "now-9m"
+index = [
+    "winlogbeat-*",
+    "logs-endpoint.events.registry-*",
+    "logs-windows.sysmon_operational-*",
+    "endgame-*",
+    "logs-sentinel_one_cloud_funnel.*",
+    "logs-m365_defender.event-*",
+    "logs-crowdstrike.fdr*",
+]
+language = "eql"
+license = "Elastic License v2"
+name = "Registry Persistence via AppCert DLL"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Registry Persistence via AppCert DLL
+
+AppCert DLLs are dynamic link libraries that can be configured to load with every process that uses common API functions to create processes on Windows systems. This feature is intended for legitimate use, such as application compatibility. However, adversaries can exploit this by inserting malicious DLLs into the registry path, ensuring their code executes persistently across system reboots. The detection rule identifies changes to specific registry paths associated with AppCert DLLs, flagging potential unauthorized modifications indicative of persistence or privilege escalation attempts. By monitoring these registry changes, security analysts can detect and respond to such threats effectively.
+
+### Possible investigation steps
+
+- Review the specific registry path changes identified in the alert to confirm if they match the paths specified in the query: "HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*", "\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*", or "MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*".
+- Check the timestamp of the registry change event to determine when the modification occurred and correlate it with other system activities or logs around the same time.
+- Identify the user account or process responsible for the registry modification by examining the event logs or security logs to determine if it was an authorized change or potentially malicious activity.
+- Investigate the DLL file specified in the registry change for any known malicious signatures or behaviors using threat intelligence sources or antivirus tools.
+- Analyze the system for any additional indicators of compromise or persistence mechanisms, such as unusual scheduled tasks, startup items, or other registry modifications.
+- Review historical data to determine if similar registry changes have occurred in the past, which might indicate a recurring threat or persistent adversary activity.
+
+### False positive analysis
+
+- Legitimate software installations or updates may modify the AppCert DLL registry paths as part of their setup process. Users can handle these by creating exceptions for known and trusted software vendors.
+- System administrators might intentionally configure AppCert DLLs for application compatibility purposes. To manage this, maintain a list of approved configurations and exclude these from alerts.
+- Security tools or endpoint protection software might interact with these registry paths during routine scans or updates. Identify and whitelist these tools to prevent unnecessary alerts.
+- Custom enterprise applications may use AppCert DLLs for legitimate process monitoring or enhancement. Collaborate with application developers to document these cases and exclude them from detection.
+- Regular system maintenance scripts or group policies might inadvertently trigger changes in these registry paths. Review and adjust these scripts or policies to minimize false positives, or document and exclude them if they are necessary.
+
+### Response and remediation
+
+- Immediately isolate the affected system from the network to prevent further spread or communication with potential command and control servers.
+- Use endpoint detection and response (EDR) tools to terminate any suspicious processes associated with the malicious AppCert DLLs identified in the registry paths.
+- Remove the unauthorized AppCert DLL entries from the registry paths: HKLM\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\* to eliminate persistence mechanisms.
+- Conduct a thorough scan of the system using updated antivirus and anti-malware tools to identify and remove any additional malicious files or remnants.
+- Review and restore any system files or configurations that may have been altered by the malicious DLLs to ensure system integrity.
+- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.
+- Implement enhanced monitoring and logging for the specific registry paths and related process creation activities to detect any future unauthorized changes promptly."""
+risk_score = 47
+rule_id = "513f0ffd-b317-4b9c-9494-92ce861f22c7"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Persistence",
+    "Tactic: Privilege Escalation",
+    "Data Source: Elastic Endgame",
+    "Data Source: Elastic Defend",
+    "Data Source: Sysmon",
+    "Data Source: SentinelOne",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: Crowdstrike",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+registry where host.os.type == "windows" and event.type == "change" and
+  registry.path : "*\\SYSTEM\\*ControlSet*\\Control\\Session Manager\\AppCertDLLs\\*"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1546"
+name = "Event Triggered Execution"
+reference = "https://attack.mitre.org/techniques/T1546/"
+[[rule.threat.technique.subtechnique]]
+id = "T1546.009"
+name = "AppCert DLLs"
+reference = "https://attack.mitre.org/techniques/T1546/009/"
+
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1546"
+name = "Event Triggered Execution"
+reference = "https://attack.mitre.org/techniques/T1546/"
+[[rule.threat.technique.subtechnique]]
+id = "T1546.009"
+name = "AppCert DLLs"
+reference = "https://attack.mitre.org/techniques/T1546/009/"
+
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+

nldcsc_elastic_rules/rules/windows/persistence_appinitdlls_registry.toml

@@ -0,0 +1,196 @@
+[metadata]
+creation_date = "2020/11/18"
+integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
+maturity = "production"
+updated_date = "2025/08/28"
+
+[transform]
+[[transform.osquery]]
+label = "Osquery - Retrieve AppInit Registry Value"
+query = """
+SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows'
+or r.key == 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows') and r.name ==
+'AppInit_DLLs'
+"""
+
+[[transform.osquery]]
+label = "Osquery - Retrieve DNS Cache"
+query = "SELECT * FROM dns_cache"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve All Services"
+query = "SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Services Running on User Accounts"
+query = """
+SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE
+NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR
+user_account == null)
+"""
+
+[[transform.osquery]]
+label = "Osquery - Retrieve Service Unsigned Executables with Virustotal Link"
+query = """
+SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,
+services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =
+authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'
+"""
+
+
+[rule]
+author = ["Elastic"]
+description = """
+AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads
+user32.dll) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode
+processes, allowing for the customization of the user interface and the behavior of Windows-based applications.
+Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process
+injection, and provide a solid and constant persistence on the machine.
+"""
+from = "now-9m"
+index = [
+    "winlogbeat-*",
+    "logs-endpoint.events.registry-*",
+    "logs-windows.sysmon_operational-*",
+    "endgame-*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
+    "logs-crowdstrike.fdr*",
+]
+language = "eql"
+license = "Elastic License v2"
+name = "Registry Persistence via AppInit DLL"
+note = """## Triage and analysis
+
+### Investigating Registry Persistence via AppInit DLL
+
+AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications.
+
+Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.
+
+This rule identifies modifications on the AppInit registry keys.
+
+> **Note**:
+> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
+
+#### Possible investigation steps
+
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Review the source process and related DLL file tied to the Windows Registry entry.
+  - Check whether the DLL is signed, and tied to a authorized program used on your environment.
+- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.
+- Retrieve all DLLs under the AppInit registry keys:
+  - $osquery_0
+- Examine the host for derived artifacts that indicate suspicious activities:
+  - Analyze the process executable and the DLLs using a private sandboxed analysis system.
+  - Observe and collect information about the following activities in both the sandbox and the alert subject host:
+    - Attempts to contact external domains and addresses.
+      - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.
+      - Examine the DNS cache for suspicious or anomalous entries.
+        - $osquery_1
+    - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.
+    - Examine the host services for suspicious or anomalous entries.
+      - $osquery_2
+      - $osquery_3
+      - $osquery_4
+  - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+
+### False positive analysis
+
+- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved host to prevent further post-compromise behavior.
+- If the triage identified malware, search the environment for additional compromised hosts.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.
+- Remove and block malicious artifacts identified during triage.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+"""
+risk_score = 47
+rule_id = "d0e159cf-73e9-40d1-a9ed-077e3158a855"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Persistence",
+    "Tactic: Defense Evasion",
+    "Resources: Investigation Guide",
+    "Data Source: Elastic Endgame",
+    "Data Source: Elastic Defend",
+    "Data Source: Sysmon",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Data Source: SentinelOne",
+    "Data Source: Crowdstrike",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+registry where host.os.type == "windows" and event.type == "change" and
+  registry.value : "AppInit_Dlls" and
+  not process.executable : (
+     "?:\\Windows\\System32\\DriverStore\\FileRepository\\*\\Display.NvContainer\\NVDisplay.Container.exe",
+     "?:\\Windows\\System32\\msiexec.exe",
+     "?:\\Windows\\SysWOW64\\msiexec.exe",
+     "?:\\Program Files\\Commvault\\Base\\cvd.exe",
+     "?:\\Program Files\\Commvault\\ContentStore*\\Base\\cvd.exe",
+     "?:\\Program Files (x86)\\Commvault\\Base\\cvd.exe",
+     "?:\\Program Files (x86)\\Commvault\\ContentStore*\\Base\\cvd.exe",
+     "?:\\Program Files\\NVIDIA Corporation\\Display.NvContainer\\NVDisplay.Container.exe",
+
+     /* Crowdstrike specific condition as it uses NT Object paths */
+     "\\Device\\HarddiskVolume*\\Windows\\System32\\DriverStore\\FileRepository\\*\\Display.NvContainer\\NVDisplay.Container.exe",
+     "\\Device\\HarddiskVolume*\\Windows\\System32\\msiexec.exe",
+     "\\Device\\HarddiskVolume*\\Windows\\SysWOW64\\msiexec.exe",
+     "\\Device\\HarddiskVolume*\\Program Files\\Commvault\\Base\\cvd.exe",
+     "\\Device\\HarddiskVolume*\\Program Files\\Commvault\\ContentStore*\\Base\\cvd.exe",
+     "\\Device\\HarddiskVolume*\\Program Files (x86)\\Commvault\\Base\\cvd.exe",
+     "\\Device\\HarddiskVolume*\\Program Files (x86)\\Commvault\\ContentStore*\\Base\\cvd.exe",
+     "\\Device\\HarddiskVolume*\\Program Files\\NVIDIA Corporation\\Display.NvContainer\\NVDisplay.Container.exe"
+  )
+  /*
+    Full registry key path omitted due to data source variations:
+    "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls"
+    "HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls"
+  */
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1546"
+name = "Event Triggered Execution"
+reference = "https://attack.mitre.org/techniques/T1546/"
+[[rule.threat.technique.subtechnique]]
+id = "T1546.010"
+name = "AppInit DLLs"
+reference = "https://attack.mitre.org/techniques/T1546/010/"
+
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1112"
+name = "Modify Registry"
+reference = "https://attack.mitre.org/techniques/T1112/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

nldcsc_elastic_rules/rules/windows/persistence_browser_extension_install.toml

@@ -0,0 +1,111 @@
+[metadata]
+creation_date = "2023/08/22"
+integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"]
+maturity = "production"
+updated_date = "2025/05/05"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the install of browser extensions. Malicious browser extensions can be installed via app store downloads
+masquerading as legitimate extensions, social engineering, or by an adversary that has already compromised a system.
+"""
+from = "now-9m"
+index = [
+    "logs-endpoint.events.file-*",
+    "logs-m365_defender.event-*",
+    "logs-sentinel_one_cloud_funnel.*",
+    "logs-windows.sysmon_operational-*",
+    "winlogbeat-*",
+    "endgame-*",
+]
+language = "eql"
+license = "Elastic License v2"
+name = "Browser Extension Install"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Browser Extension Install
+Browser extensions enhance functionality in web browsers but can be exploited by adversaries to gain persistence or execute malicious activities. Attackers may disguise harmful extensions as legitimate or use compromised systems to install them. The detection rule identifies suspicious extension installations by monitoring file creation events in typical extension directories, filtering out known safe processes, and focusing on Windows environments.
+
+### Possible investigation steps
+
+- Review the file creation event details to identify the specific browser extension file (e.g., .xpi or .crx) and its path to determine if it aligns with known malicious patterns or locations.
+- Check the process that initiated the file creation event, especially if it is not a known safe process like firefox.exe, to assess if it is a legitimate application or potentially malicious.
+- Investigate the user account associated with the file creation event to determine if the activity is expected or if the account may have been compromised.
+- Examine recent system activity and logs for any signs of social engineering attempts or unauthorized access that could have led to the installation of the extension.
+- Cross-reference the extension file name and path with threat intelligence sources to identify if it is associated with known malicious browser extensions.
+- If applicable, review the browser's extension management interface to verify the presence and legitimacy of the installed extension.
+
+### False positive analysis
+
+- Language pack installations for Firefox can trigger false positives. Exclude files named "langpack-*@firefox.mozilla.org.xpi" from detection to prevent unnecessary alerts.
+- Dictionary add-ons for Firefox may also be flagged. Add exceptions for files named "*@dictionaries.addons.mozilla.org.xpi" to reduce false positives.
+- Regular updates or installations of legitimate browser extensions from trusted sources can be mistaken for malicious activity. Maintain a list of trusted processes and paths to exclude from monitoring.
+- User-initiated installations from official browser stores might be flagged. Educate users on safe installation practices and consider excluding known safe processes like "firefox.exe" when associated with legitimate extension paths.
+- Frequent installations in enterprise environments due to software deployment tools can cause alerts. Coordinate with IT to identify and exclude these routine activities from detection.
+
+### Response and remediation
+
+- Isolate the affected system from the network to prevent further spread or communication with potential command and control servers.
+- Terminate any suspicious processes associated with the unauthorized browser extension installation, such as unknown or unexpected instances of browser processes.
+- Remove the malicious browser extension by deleting the associated files from the extension directories identified in the alert.
+- Conduct a full antivirus and anti-malware scan on the affected system to identify and remove any additional threats or remnants of the malicious extension.
+- Review and reset browser settings to default to ensure no residual configurations or settings are left by the malicious extension.
+- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.
+- Implement application whitelisting to prevent unauthorized browser extensions from being installed in the future, focusing on the directories and file types identified in the detection query."""
+risk_score = 21
+rule_id = "f97504ac-1053-498f-aeaa-c6d01e76b379"
+severity = "low"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Persistence",
+    "Data Source: Elastic Defend",
+    "Data Source: Elastic Endgame",
+    "Data Source: SentinelOne",
+    "Data Source: Sysmon",
+    "Data Source: Microsoft Defender for Endpoint",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+file where host.os.type == "windows" and event.type : "creation" and
+(
+  /* Firefox-Based Browsers */
+  (
+    file.name : "*.xpi" and
+    file.path : "?:\\Users\\*\\AppData\\Roaming\\*\\Profiles\\*\\Extensions\\*.xpi" and
+    not
+    (
+      process.name : "firefox.exe" and
+      file.name : ("langpack-*@firefox.mozilla.org.xpi", "*@dictionaries.addons.mozilla.org.xpi")
+    )
+  ) or
+  /* Chromium-Based Browsers */
+  (
+    file.name : "*.crx" and
+    file.path : "?:\\Users\\*\\AppData\\Local\\*\\*\\User Data\\Webstore Downloads\\*"
+  )
+)
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1176"
+name = "Software Extensions"
+reference = "https://attack.mitre.org/techniques/T1176/"
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+

nldcsc_elastic_rules/rules/windows/persistence_dontexpirepasswd_account.toml

@@ -0,0 +1,108 @@
+[metadata]
+creation_date = "2022/02/22"
+integration = ["system", "windows"]
+maturity = "production"
+updated_date = "2025/03/20"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects the creation and modification of an account with the "Don't Expire Password" option Enabled. Attackers can abuse
+this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this
+property.
+"""
+false_positives = [
+    """
+    User accounts can be used as service accounts and have their password set never to expire. This is a bad security
+    practice that exposes the account to Credential Access attacks. For cases in which user accounts cannot be avoided,
+    Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that the account password is
+    robust and changed regularly and automatically.
+    """,
+]
+from = "now-9m"
+index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Account Configured with Never-Expiring Password"
+note = """## Triage and analysis
+
+### Investigating Account Configured with Never-Expiring Password
+
+Active Directory provides a setting that prevents users' passwords from expiring. Enabling this setting is bad practice and can expose environments to vulnerabilities that weaken security posture, especially when these accounts are privileged.
+
+The setting is usually configured so a user account can act as a service account. Attackers can abuse these accounts to persist in the domain and maintain long-term access using compromised accounts with a never-expiring password set.
+
+#### Possible investigation steps
+
+- Identify the user account that performed the action and whether it should perform this kind of action.
+- Contact the account owner and confirm whether they are aware of this activity.
+- Investigate other alerts associated with the user/source host during the past 48 hours.
+- Inspect the account for suspicious or abnormal behaviors in the alert timeframe.
+
+### False positive analysis
+
+- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.
+- Using user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor potential benign true positives (B-TPs), especially if the account is privileged. For cases in which user accounts cannot be avoided, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that the account password is robust and changed regularly and automatically.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.
+- Reset the password of the account and update its password settings.
+- Search for other occurrences on the domain.
+    - Using the [Active Directory PowerShell module](https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser):
+        - `get-aduser -filter { passwordNeverExpires -eq $true  -and enabled -eq $true } | ft`
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+"""
+references = [
+    "https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dont_expire",
+    "http://web.archive.org/web/20230329171952/https://blog.menasec.net/2019/02/threat-hunting-26-persistent-password.html",
+]
+risk_score = 47
+rule_id = "62a70f6f-3c37-43df-a556-f64fa475fba2"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Persistence",
+    "Data Source: Active Directory",
+    "Resources: Investigation Guide",
+    "Use Case: Active Directory Monitoring",
+    "Data Source: Windows Security Event Logs",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+any where host.os.type == "windows" and
+(
+  (
+    event.code == "4738" and winlog.event_data.NewUACList == "USER_DONT_EXPIRE_PASSWORD" and not user.id == "S-1-5-18"
+  ) or
+  (
+    event.code == "5136" and winlog.event_data.AttributeLDAPDisplayName == "userAccountControl" and
+    winlog.event_data.AttributeValue in ("66048", "66080") and winlog.event_data.OperationType == "%%14674" and
+    not (
+      winlog.event_data.SubjectUserName : "*svc*" or
+      winlog.event_data.ObjectDN : "*Service*"
+    )
+  )
+)
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1098"
+name = "Account Manipulation"
+reference = "https://attack.mitre.org/techniques/T1098/"
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+