Mounting Hidden or WebDav Remote Shares

  1[metadata]
  2creation_date = "2020/11/02"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
  6min_stack_version = "8.3.0"
  7updated_date = "2024/03/28"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies the use of net.exe to mount a WebDav or hidden remote share. This may indicate lateral movement or
 13preparation for data exfiltration.
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Mounting Hidden or WebDav Remote Shares"
 20risk_score = 47
 21rule_id = "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14"
 22setup = """## Setup
 23
 24If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
 25events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
 26Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
 27`event.ingested` to @timestamp.
 28For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 29"""
 30severity = "medium"
 31tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 32timestamp_override = "event.ingested"
 33type = "eql"
 34
 35query = '''
 36process where host.os.type == "windows" and event.type == "start" and
 37 ((process.name : "net.exe" or ?process.pe.original_file_name == "net.exe") or ((process.name : "net1.exe" or ?process.pe.original_file_name == "net1.exe") and
 38 not process.parent.name : "net.exe")) and
 39 process.args : "use" and
 40 /* including hidden and webdav based online shares such as onedrive  */
 41 process.args : ("\\\\*\\*$*", "\\\\*@SSL\\*", "http*") and
 42 /* excluding shares deletion operation */
 43 not process.args : "/d*"
 44'''
 45
 46
 47[[rule.threat]]
 48framework = "MITRE ATT&CK"
 49[[rule.threat.technique]]
 50id = "T1021"
 51name = "Remote Services"
 52reference = "https://attack.mitre.org/techniques/T1021/"
 53[[rule.threat.technique.subtechnique]]
 54id = "T1021.002"
 55name = "SMB/Windows Admin Shares"
 56reference = "https://attack.mitre.org/techniques/T1021/002/"
 57
 58
 59
 60[rule.threat.tactic]
 61id = "TA0008"
 62name = "Lateral Movement"
 63reference = "https://attack.mitre.org/tactics/TA0008/"
 64[[rule.threat]]
 65framework = "MITRE ATT&CK"
 66[[rule.threat.technique]]
 67id = "T1078"
 68name = "Valid Accounts"
 69reference = "https://attack.mitre.org/techniques/T1078/"
 70[[rule.threat.technique.subtechnique]]
 71id = "T1078.003"
 72name = "Local Accounts"
 73reference = "https://attack.mitre.org/techniques/T1078/003/"
 74
 75
 76
 77[rule.threat.tactic]
 78id = "TA0001"
 79name = "Initial Access"
 80reference = "https://attack.mitre.org/tactics/TA0001/"
 81
 82[[rule.threat]]
 83framework = "MITRE ATT&CK"
 84[[rule.threat.technique]]
 85id = "T1087"
 86name = "Account Discovery"
 87reference = "https://attack.mitre.org/techniques/T1087/"
 88[[rule.threat.technique.subtechnique]]
 89id = "T1087.001"
 90name = "Local Account"
 91reference = "https://attack.mitre.org/techniques/T1087/001/"
 92[[rule.threat.technique.subtechnique]]
 93id = "T1087.002"
 94name = "Domain Account"
 95reference = "https://attack.mitre.org/techniques/T1087/002/"
 96
 97[rule.threat.tactic]
 98id = "TA0007"
 99name = "Discovery"
100reference = "https://attack.mitre.org/tactics/TA0007/"